- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why is inputs.conf meta not respected for Wind...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I sometimes use the _meta capability of inputs.conf to add a meta field to the data when it makes sense to do so. For example, if you have some intermediary forwarders, it can be useful to add a host_forwarder field to understand the originating host and also the host of the forwarder that the data flowed through.
Typically you can add the meta field to the [default] stanza of inputs.conf under system local as follows:
[default]
host = myHostName
_meta = host_forwarder::myHostName
This works pretty well and basically inserts a host_forwarder field for all events flowing through the forwarder. However, I recently implemented this on a Windows UF and also decided to collect the local Windows events from the forwarder in question, but noticed that this seems to work for all inputs other than WinEventLog inputs. When I btool it up and check the WinEventLog input - the _meta is there, but it is not respected and the field does not appear in the indexed data in Splunk. It seems to only affect Windows event inputs - all other input stanzas are fine. Possible bug or is this by design? Using a 6.2.3 UF on Windows 2012.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is a really old post, but ran across this when I was trying to figure this out. I was able to figure out how to fix this issue.
You can use the [WinEventLog] stanza in your inputs.conf to globally specify configs for all WinEventLog inputs. [perfmon] also works as well.
[WinEventLog]
_meta = host_forwarder::myHostName
[perfmon]
_meta = host_forwarder::myHostName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone, My company also has this [default]\n _meta requirement for the Splunk_TA_windows input stanzas. Since this has been a requirement for a few years now and not much attention, we been asked by Splunk support to upvote the https://ideas.splunk.com/ideas/APPSID-I-678 so that Splunk TA developers could prioritize this feature request.
Bests.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is a really old post, but ran across this when I was trying to figure this out. I was able to figure out how to fix this issue.
You can use the [WinEventLog] stanza in your inputs.conf to globally specify configs for all WinEventLog inputs. [perfmon] also works as well.
[WinEventLog]
_meta = host_forwarder::myHostName
[perfmon]
_meta = host_forwarder::myHostName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good find. Its a shame Splunk couldnt just use [default] like everything else and instead needed to create a specific [WinEventLog] stanza to deal with global elements related to windows event log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been having this issue as well, and I figured out what appears to be a workaround. Rather than putting _meta in the [default] stanza, you have to put it under each [WinEventLog:*] stanza. This probably throws off some use cases, and hopefully this can be fixed at some point.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
