Log tag recolection

TecDiver · ‎02-12-2021

Hi,

I´m new with Splunk and i´m trying to do to enable a tag on splunk recolection to know from which heavy/indexer is coming each log source but i don´t know how to do or approach.

Thank you for your help. Regards.

scelikok · ‎02-12-2021

Hi @TecDiver,

You can add metadata using "_meta" in your inputs.conf on UF or Heavy Forwarders (wherever inputs.conf is defined). You have to use default, WinEventLog and perfmon stanzas, since windows and perfmon inputs are not using default stanza for metadata.

inputs.conf

[default]
_meta = host_forwarder::myHostName

[WinEventLog]
_meta = host_forwarder::myHostName

[perfmon]
_meta = host_forwarder::myHostName

In order to be able to use this new field on your searches you should also add below setting in your search heads fields.conf.

fields.conf
[host_forwarder]
INDEXED=true

If this reply helps you an upvote and "Accept as Solution" is appreciated.

TecDiver · ‎03-11-2021

We have tested but on 7.3.0 it´s not working for us.

We haven´t solved yet.

Thank you for your support.

Log tag recolection

heavy forwarder

host

index

indexer

inputs.conf

Linux

props.conf

source

sourcetype

syslog

transforms.conf

universal forwarder

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

Log tag recolection