foo represents field name , bar represents field value

rphillips_splk · ‎04-11-2018

I'd like to add metadata to my events at the source and change the _meta value periodically without restarting the forwarders.

rphillips_splk · ‎04-11-2018

forwarder:
inputs.conf
[monitor::///var/logs]
_meta = foo:bar

indexers:
fields.conf
[foo]
INDEXED = true

I also want to update the metadata value periodically without restarting Splunk on the forwarders.

$SPLUNK_HOME/bin
./splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme

rphillips_splk · ‎04-11-2018

forwarder:
inputs.conf
[monitor::///var/logs]
_meta = foo:bar

indexers:
fields.conf
[foo]
INDEXED = true

I also want to update the metadata value periodically without restarting Splunk on the forwarders.

$SPLUNK_HOME/bin
./splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme

gravesb · ‎12-05-2019

In case anyone else runs across this, the proper syntax in the inputs.conf is
_meta = foo::bar
two colons between the key and value instead of one.

How can I add metadata to events at the forwarder?