Getting Data In

Is there any way to pass more metadata to the deployment server from universal forwarders?

New Member

Is there any way to pass more metadata to a deployment server from universal forwarders? I'm thinking either key/value pairs via conf files or something more dynamic like passing facter or ohai information.

0 Karma


Universal forwarders do not pass information to the deployment server - they poll and download information from the deployment server.

When the UF polls the deployment server, it supplies only its identifying information (GUID, etc) and maybe the hashes for its apps. (I am not exactly sure whether the client or the server does the hash comparison.) You cannot customize the info that the UF supplies to the deployment server.

You can put anything that you want in the apps that the UF downloads from the deployment server. The apps must follow the structure for regular Splunk apps.

Bottom line is "no." I don't believe that there is any way to do this.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...