can I pass additional source info from inputs.conf

jangid · ‎07-08-2013

Is it possible to pass extra info from inputs.conf?

e.g. [inputs.conf]

[default]
host = my_host

[monitor://somepath]
sourcetype = my_source
additional_info = my_additional_info

I want this additional info from all the forwarder, due to some reason I can not use host name.

Thanks

sunrise · ‎07-08-2013

You need to set custom fields. Reference below URL.
But this is not recommended by Splunk.
http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Configureindex-timefieldextraction

Generally you should use custom fields at search time, editing props.conf or transforms.conf.
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

jangid · ‎07-08-2013

this is my custom information. I want to add this information along with sourcetype and is should be searchable. similar to sourcetype, source and host.

linu1988 · ‎07-08-2013

From the splunk documentation there is no additional parameters can be passed. But what is the difference between the sourcetype and additional_info? it's the same if we use in search.

can I pass additional source info from inputs.conf

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform