Log tag recolection

TecDiver · ‎02-12-2021

Hi,

I´m new with Splunk and i´m trying to do to enable a tag on splunk recolection to know from which heavy/indexer is coming each log source but i don´t know how to do or approach.

Thank you for your help. Regards.

scelikok · ‎02-12-2021

Hi @TecDiver,

You can add metadata using "_meta" in your inputs.conf on UF or Heavy Forwarders (wherever inputs.conf is defined). You have to use default, WinEventLog and perfmon stanzas, since windows and perfmon inputs are not using default stanza for metadata.

inputs.conf

[default]
_meta = host_forwarder::myHostName

[WinEventLog]
_meta = host_forwarder::myHostName

[perfmon]
_meta = host_forwarder::myHostName

In order to be able to use this new field on your searches you should also add below setting in your search heads fields.conf.

fields.conf
[host_forwarder]
INDEXED=true

If this reply helps you an upvote and "Accept as Solution" is appreciated.

TecDiver · ‎03-11-2021

We have tested but on 7.3.0 it´s not working for us.

We haven´t solved yet.

Thank you for your support.

Log tag recolection

heavy forwarder

host

index

indexer

inputs.conf

Linux

props.conf

source

sourcetype

syslog

transforms.conf

universal forwarder

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

Log tag recolection