Re: _meta and how it works

tam82 · ‎01-26-2022

I am setting _meta at the app level can i also set it in the /system/local or will one override the other

For example

/myapp/inputs

_meta name::bill

/system/local/inputs

_meta last::dave

so then the indexer would get both bill and dave

gcusello · ‎08-12-2022

Hi @tam82 and @splunknewbie,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Inputsconf, it's possible to assign a field value using _meta, but why do you want to do this?

Ciao.

Giuseppe

splunknewbie · ‎08-12-2022

I have the same problem.

I would like to use _meta under hec token definition.

It doesn't work either.

isoutamo · ‎05-17-2024

This has fixed by Splunk. It works at least 9.1.3+ versions as expected.
_meta = foo::bar

PickleRick · ‎05-17-2024

What do you mean by "fixed"?

Assigning _meta worked "since always" (I've been using it for last 5 years or so).

But since it's a single setting, you can't just stack separate definitions from multiple files. Only one will be the "winning" one according to normal rules of config precedence.

isoutamo · ‎05-31-2024

There was a bug with http inputs where it hasn't work earlier even it should. Nice that it has fixed and it works also with http input too.

splunknewbie · ‎05-31-2024

is it fixed? under which version is fixed?

is there any technical documentation for that?

Thanks

_meta: How does it work?

index

inputs.conf

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?