Log tag recolection

TecDiver · ‎02-12-2021

Hi,

I´m new with Splunk and i´m trying to do to enable a tag on splunk recolection to know from which heavy/indexer is coming each log source but i don´t know how to do or approach.

Thank you for your help. Regards.

scelikok · ‎02-12-2021

Hi @TecDiver,

You can add metadata using "_meta" in your inputs.conf on UF or Heavy Forwarders (wherever inputs.conf is defined). You have to use default, WinEventLog and perfmon stanzas, since windows and perfmon inputs are not using default stanza for metadata.

inputs.conf

[default]
_meta = host_forwarder::myHostName

[WinEventLog]
_meta = host_forwarder::myHostName

[perfmon]
_meta = host_forwarder::myHostName

In order to be able to use this new field on your searches you should also add below setting in your search heads fields.conf.

fields.conf
[host_forwarder]
INDEXED=true

If this reply helps you an upvote and "Accept as Solution" is appreciated.

TecDiver · ‎03-11-2021

We have tested but on 7.3.0 it´s not working for us.

We haven´t solved yet.

Thank you for your support.

Log tag recolection

heavy forwarder

host

index

indexer

inputs.conf

Linux

props.conf

source

sourcetype

syslog

transforms.conf

universal forwarder

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Log tag recolection