Re: _meta and how it works

tam82 · ‎01-26-2022

I am setting _meta at the app level can i also set it in the /system/local or will one override the other

For example

/myapp/inputs

_meta name::bill

/system/local/inputs

_meta last::dave

so then the indexer would get both bill and dave

gcusello · ‎08-12-2022

Hi @tam82 and @splunknewbie,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Inputsconf, it's possible to assign a field value using _meta, but why do you want to do this?

Ciao.

Giuseppe

splunknewbie · ‎08-12-2022

I have the same problem.

I would like to use _meta under hec token definition.

It doesn't work either.

isoutamo · ‎05-17-2024

This has fixed by Splunk. It works at least 9.1.3+ versions as expected.
_meta = foo::bar

PickleRick · ‎05-17-2024

What do you mean by "fixed"?

Assigning _meta worked "since always" (I've been using it for last 5 years or so).

But since it's a single setting, you can't just stack separate definitions from multiple files. Only one will be the "winning" one according to normal rules of config precedence.

isoutamo · ‎05-31-2024

There was a bug with http inputs where it hasn't work earlier even it should. Nice that it has fixed and it works also with http input too.

splunknewbie · ‎05-31-2024

is it fixed? under which version is fixed?

is there any technical documentation for that?

Thanks

_meta: How does it work?

index

inputs.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation