Splunk Search

How can I add metadata to events at the forwarder?

Splunk Employee
Splunk Employee

I'd like to add metadata to my events at the source and change the _meta value periodically without restarting the forwarders.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

forwarder:
inputs.conf
[monitor::///var/logs]
_meta = foo:bar

foo represents field name , bar represents field value

indexers:
fields.conf
[foo]
INDEXED = true

I also want to update the metadata value periodically without restarting Splunk on the forwarders.

$SPLUNKHOME/bin
`./splunk _internal call /services/data/inputs/monitor/
reload -auth admin:changeme`

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

forwarder:
inputs.conf
[monitor::///var/logs]
_meta = foo:bar

foo represents field name , bar represents field value

indexers:
fields.conf
[foo]
INDEXED = true

I also want to update the metadata value periodically without restarting Splunk on the forwarders.

$SPLUNKHOME/bin
`./splunk _internal call /services/data/inputs/monitor/
reload -auth admin:changeme`

View solution in original post

0 Karma

Engager

In case anyone else runs across this, the proper syntax in the inputs.conf is
_meta = foo::bar
two colons between the key and value instead of one.