Hello. I'm trying to identify a pool of windows hosts by adding an additional field to the events they forward. I can do this by adding an inputs.conf in /Splunk_home/etc/system/local and this works. My metadata field is called uf_deployment::remote_laptop(see below).
[monitor://C:\Windows\System32\winevt\Logs\Application.evtx]
index = my_index
disabled = 0
sourcetype = XmlWinEventLog
_meta = uf_deployment::remote_laptop
However, the only way I can see how to do this is by monitoring a log file and using the [monitor] tag. But this presents a problem; I don't want to forward events from a log that I'm not interested in, nor do I want to duplicate events. I'm looking for a solution that will allow me to send the _meta = uf_deployment::remote_laptop field without having to "monitor" a log file. So far I have tried [default] with no success(see below) Any help is appreciated. Thank you.
[default]
index = my_index
disabled = 0
sourcetype = XmlWinEventLog
_meta = uf_deployment::remote_laptop