Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I merge _meta from several inputs.conf files

cwacha
Path Finder
‎06-06-2011 02:47 AM

I use the universal forwarders ability to enrich the transported files with _meta keywords as follows:

./etc/apps/myapp/local/inputs.conf

[monitor:///myfile]
  disabled = false
  _meta = key1::value key2::value

I also have global key/value pairs for _meta that I would like to add automatically to all monitor stanzas. They are defined in

./system/local/inputs.conf

[default]
  _meta = globalkey::value

The globalkey keyword gets added to all monitor stanzas that do not define a specific _meta keyword. I would like to have the globalkey keyword as well as the additionally defined key/value pairs in the apps inputs.conf defined. Unfortunately the _meta field in apps/../inputs.conf overwrites the system/local/inputs.conf _meta entry.

Is it possible to append the global keywords (defined in ./system/local/) to the defined _meta tag (defined in ./apps/local/inputs.conf) ?.

For example with a configuration as follows using $_meta:

./system/local/inputs.conf

[default]
  _meta = globalkey::value

./etc/apps/myapp/local/inputs.conf

[monitor:///myfile]
  disabled = false
  _meta = $_meta key1::value key2::value
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-06-2011 08:29 AM

I don't think it is possible to merge entries from inputs.conf in the manner your describing here. The way precedence works is to take the stanza and do merging based on the settings. The setting with the highest priority is what is taken into account. Other settings will be ignored.

You can probably do this with a props/transforms configuration on the stanzas where you want this to occur.

Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-07-2011 07:56 AM

The universal forwarder can't do much in the way of parsing, but you can do it at the indexer that the UF is reporting into without any problem.

0 Karma
Reply

cwacha
Path Finder
‎06-07-2011 01:19 AM

As fas as I know props/transforms cannot be used with the universal forwarder...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...