Getting Data In

How to add metadata to UF config files?

dionrivera
Communicator

Hello. I'm trying to identify a pool of windows hosts by adding an additional field to the events they forward. I can do this by adding an inputs.conf in /Splunk_home/etc/system/local and this works. My metadata field is called uf_deployment::remote_laptop(see below).

[monitor://C:\Windows\System32\winevt\Logs\Application.evtx]
index = my_index
disabled = 0
sourcetype = XmlWinEventLog
_meta = uf_deployment::remote_laptop


However, the only way I can see how to do this is by monitoring a log file and using the [monitor] tag. But this presents a problem; I don't want to forward events from a log that I'm not interested in, nor do I want to duplicate events. I'm looking for a solution that will allow me to send the _meta = uf_deployment::remote_laptop field without having to "monitor" a log file. So far I have tried [default] with no success(see below) Any help is appreciated. Thank you.

[default]
index = my_index
disabled = 0
sourcetype = XmlWinEventLog
_meta = uf_deployment::remote_laptop

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...