I'd like to add metadata to my events at the source and change the _meta
value periodically without restarting the forwarders.
forwarder:
inputs.conf
[monitor::///var/logs]
_meta = foo:bar
indexers:
fields.conf
[foo]
INDEXED = true
I also want to update the metadata value periodically without restarting Splunk on the forwarders.
$SPLUNK_HOME/bin
./splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme
forwarder:
inputs.conf
[monitor::///var/logs]
_meta = foo:bar
indexers:
fields.conf
[foo]
INDEXED = true
I also want to update the metadata value periodically without restarting Splunk on the forwarders.
$SPLUNK_HOME/bin
./splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme
Hi @rphillips_splk where can I find the doc for commands like ./splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme
Can I do a post whit it ?
No. The only "variable" (runtime-determined) parts of the config are those explicitly defined as such in specs.
For example - serverName parameter in [general] section of server.conf. The specs say that it can contain environment variables so it can be dynamically set. For other parameters you define constant values.
@michaelissartel I haven't tested using an env variable as the field value before. If you do end up testing can you put your reply here for others?
Hi, this solution has been cancelled 😕
In case anyone else runs across this, the proper syntax in the inputs.conf is
_meta = foo::bar
two colons between the key and value instead of one.