Getting Data In

Why is inputs.conf meta not respected for Windows Event Logs on a 6.2.3 universal forwarder?

pj
Contributor

I sometimes use the _meta capability of inputs.conf to add a meta field to the data when it makes sense to do so. For example, if you have some intermediary forwarders, it can be useful to add a host_forwarder field to understand the originating host and also the host of the forwarder that the data flowed through.

Typically you can add the meta field to the [default] stanza of inputs.conf under system local as follows:

[default] 
host = myHostName
_meta = host_forwarder::myHostName

This works pretty well and basically inserts a host_forwarder field for all events flowing through the forwarder. However, I recently implemented this on a Windows UF and also decided to collect the local Windows events from the forwarder in question, but noticed that this seems to work for all inputs other than WinEventLog inputs. When I btool it up and check the WinEventLog input - the _meta is there, but it is not respected and the field does not appear in the indexed data in Splunk. It seems to only affect Windows event inputs - all other input stanzas are fine. Possible bug or is this by design? Using a 6.2.3 UF on Windows 2012.

1 Solution

matthaios
Engager

I know this is a really old post, but ran across this when I was trying to figure this out. I was able to figure out how to fix this issue.

https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/MonitorWindowseventlogdata#Specify_global_se...

You can use the [WinEventLog] stanza in your inputs.conf to globally specify configs for all WinEventLog inputs. [perfmon] also works as well.

[WinEventLog]
_meta = host_forwarder::myHostName

[perfmon]
_meta = host_forwarder::myHostName

View solution in original post

matthaios
Engager

I know this is a really old post, but ran across this when I was trying to figure this out. I was able to figure out how to fix this issue.

https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/MonitorWindowseventlogdata#Specify_global_se...

You can use the [WinEventLog] stanza in your inputs.conf to globally specify configs for all WinEventLog inputs. [perfmon] also works as well.

[WinEventLog]
_meta = host_forwarder::myHostName

[perfmon]
_meta = host_forwarder::myHostName

pj
Contributor

Good find. Its a shame Splunk couldnt just use [default] like everything else and instead needed to create a specific [WinEventLog] stanza to deal with global elements related to windows event log.

0 Karma

adam_reber
Path Finder

I have been having this issue as well, and I figured out what appears to be a workaround. Rather than putting _meta in the [default] stanza, you have to put it under each [WinEventLog:*] stanza. This probably throws off some use cases, and hopefully this can be fixed at some point.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...