New to splunk, so bear with me.
As I'm setting it up in our environment, we are forwarding logs from multiple "environments" (think prod, qa, stage, etc). What I would like to do is at the host level, define what environment it comes from so that searches are easily filterable. env="prod" for example
According to this article, it seems "not recommended" to do what I want to do. http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configureindex-timefieldextraction
Am I looking in the right place? What's the proper way to do this?
The proper way to do this is by using tags
And set up them accordingly, for example
host=dev1 tag -> DEV
This way you can change it any time, as this is appliedon search time
Regards
Can this be done in a configuration file on the host itself? I'd like to configure all of this through Ansible in our splunk role. Similar to the inputs.conf.