Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I add metadata to events at the forwarder?

rphillips_splk
Splunk Employee
Splunk Employee
‎04-11-2018 02:13 PM

I'd like to add metadata to my events at the source and change the _meta value periodically without restarting the forwarders.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎04-11-2018 02:14 PM

forwarder:
inputs.conf
[monitor::///var/logs]
_meta = foo:bar

foo represents field name , bar represents field value

indexers:
fields.conf
[foo]
INDEXED = true

I also want to update the metadata value periodically without restarting Splunk on the forwarders.

$SPLUNK_HOME/bin
./splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme

View solution in original post

Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎04-11-2018 02:14 PM

forwarder:
inputs.conf
[monitor::///var/logs]
_meta = foo:bar

foo represents field name , bar represents field value

indexers:
fields.conf
[foo]
INDEXED = true

I also want to update the metadata value periodically without restarting Splunk on the forwarders.

$SPLUNK_HOME/bin
./splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme

Reply
Solved! Jump to solution

michaelissartel
Explorer
‎10-26-2023 02:30 AM

Hi @rphillips_splk where can I find the doc for commands like ./splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme

Can I do a post whit it ?

0 Karma
Reply
Solved! Jump to solution

michaelissartel
Explorer
‎10-24-2023 08:43 AM

Hi @rphillips_splk 

bar can be an environment variable ?

thanks

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-26-2023 03:23 AM

No. The only "variable" (runtime-determined) parts of the config are those explicitly defined as such in specs.

For example - serverName parameter in [general] section of server.conf. The specs say that it can contain environment variables so it can be dynamically set. For other parameters you define constant values.

Reply
Solved! Jump to solution

rphillips_splk
Splunk Employee
Splunk Employee
‎10-24-2023 12:37 PM

@michaelissartel I haven't tested using an env variable as the field value before. If you do end up testing can you put your reply here for others?

Reply
Solved! Jump to solution

michaelissartel
Explorer
‎10-25-2023 09:57 AM

Hi, this solution has been cancelled  😕

0 Karma
Reply
Solved! Jump to solution

gravesb
Engager
‎12-05-2019 01:06 PM

In case anyone else runs across this, the proper syntax in the inputs.conf is
_meta = foo::bar
two colons between the key and value instead of one.

Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...