Splunk Enterprise

Adding meta without changing splunk cloud

ivaleev
Loves-to-Learn

We send data to Splunk Cloud from Universal Forwarder. I want to add _meta to each event sent to the Splunk Cloud.

I've added _meta to each stanza in the inputs.conf and restarted the Forwarder, but the meta does not appear in the Splunk Cloud

 

 

[default]
host = HOSTNAME
index = INDEX
source = SOURCE

# Monitor NGINX Logs
[monitor:///var/log/nginx/access.json.log]
disabled = false
sourcetype = SOURCETYPE
_meta = region::sae1
...

 

 

 

What could I miss? Is it possible to add the meta without changes in the Splunk Cloud?

Labels (1)
0 Karma

livehybrid
Contributor

Hi,

I think you may still need to update fields.conf on Splunk Cloud with

[region]
INDEXED = true

in order for Splunk to know that it is an indexed field.

(https://docs.splunk.com/Documentation/Splunk/latest/Admin/Fieldsconf)

 

0 Karma

ivaleev
Loves-to-Learn

Can it be done in Splunk Cloud user interface?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!