Log tag recolection

TecDiver · ‎02-12-2021

Hi,

I´m new with Splunk and i´m trying to do to enable a tag on splunk recolection to know from which heavy/indexer is coming each log source but i don´t know how to do or approach.

Thank you for your help. Regards.

scelikok · ‎02-12-2021

Hi @TecDiver,

You can add metadata using "_meta" in your inputs.conf on UF or Heavy Forwarders (wherever inputs.conf is defined). You have to use default, WinEventLog and perfmon stanzas, since windows and perfmon inputs are not using default stanza for metadata.

inputs.conf

[default]
_meta = host_forwarder::myHostName

[WinEventLog]
_meta = host_forwarder::myHostName

[perfmon]
_meta = host_forwarder::myHostName

In order to be able to use this new field on your searches you should also add below setting in your search heads fields.conf.

fields.conf
[host_forwarder]
INDEXED=true

If this reply helps you an upvote and "Accept as Solution" is appreciated.

TecDiver · ‎03-11-2021

We have tested but on 7.3.0 it´s not working for us.

We haven´t solved yet.

Thank you for your support.

Log tag recolection

heavy forwarder

host

index

indexer

inputs.conf

Linux

props.conf

source

sourcetype

syslog

transforms.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation

Log tag recolection

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.