I sometimes use the _meta capability of inputs.conf to add a meta field to the data when it makes sense to do so. For example, if you have some intermediary forwarders, it can be useful to add a host_forwarder field to understand the originating host and also the host of the forwarder that the data flowed through.
Typically you can add the meta field to the [default] stanza of inputs.conf under system local as follows:
[default]
host = myHostName
_meta = host_forwarder::myHostName
This works pretty well and basically inserts a host_forwarder field for all events flowing through the forwarder. However, I recently implemented this on a Windows UF and also decided to collect the local Windows events from the forwarder in question, but noticed that this seems to work for all inputs other than WinEventLog inputs. When I btool it up and check the WinEventLog input - the _meta is there, but it is not respected and the field does not appear in the indexed data in Splunk. It seems to only affect Windows event inputs - all other input stanzas are fine. Possible bug or is this by design? Using a 6.2.3 UF on Windows 2012.
I know this is a really old post, but ran across this when I was trying to figure this out. I was able to figure out how to fix this issue.
You can use the [WinEventLog] stanza in your inputs.conf to globally specify configs for all WinEventLog inputs. [perfmon] also works as well.
[WinEventLog]
_meta = host_forwarder::myHostName
[perfmon]
_meta = host_forwarder::myHostName
Hi everyone, My company also has this [default]\n _meta requirement for the Splunk_TA_windows input stanzas. Since this has been a requirement for a few years now and not much attention, we been asked by Splunk support to upvote the https://ideas.splunk.com/ideas/APPSID-I-678 so that Splunk TA developers could prioritize this feature request.
Bests.
I know this is a really old post, but ran across this when I was trying to figure this out. I was able to figure out how to fix this issue.
You can use the [WinEventLog] stanza in your inputs.conf to globally specify configs for all WinEventLog inputs. [perfmon] also works as well.
[WinEventLog]
_meta = host_forwarder::myHostName
[perfmon]
_meta = host_forwarder::myHostName
Good find. Its a shame Splunk couldnt just use [default] like everything else and instead needed to create a specific [WinEventLog] stanza to deal with global elements related to windows event log.
I have been having this issue as well, and I figured out what appears to be a workaround. Rather than putting _meta in the [default] stanza, you have to put it under each [WinEventLog:*] stanza. This probably throws off some use cases, and hopefully this can be fixed at some point.