Splunk Search

How to add new fields to certain events via _meta?


Hi Splunkers,

I try to get a new internal field "_application" added to certain events.

So i added a new field via the _meta to the inputs.conf on the forwarder.



sourcetype = df_metric
source = df
interval = 300
disabled = 0
index = server_nixeventlog
_meta = _application::<application_name>



I also added a new stanza to the fields.conf



INDEXED = false
#* Set to "true" if the field is created at index time.
#* Set to "false" for fields extracted at search time. This accounts for the
#  majority of fields.
#* Set to "true" if the value is in the raw text of the event.
#* Set to "false" if the value is not in the raw text of the event#.



The fields.conf is deployed to indexer and SH.

But i still do not see the event.

I tried searching for






Can somebody explain to me where is the Problem?



Labels (1)
Tags (1)
0 Karma

Ultra Champion

If you want to have a metadata field "external" to the event itself you must create an indexed field since the field value is not in any way contained within the event itself.

But your INDEXED=false setting says that splunk shouldn't treat the field as indexed.

Another question is whether you really do need the external field. Isn't the information contained within the event itself? There are use cases when indexed fields can be useful but they are rare and quite often indexed fields are a wrong way of resolving you problem 😉

0 Karma


Hi PickleRick,

thanks for replaying so quick.

yeah i do not want it to be a indextime field. 

No the information unfortunately is not statically in the event itself.

I now found out that Splunk Permits unsinnig leading underscore fields so i think i found a dead end here and have to finde another solution.  


0 Karma

Ultra Champion

If you can devise your application field from other field(s) - for example some set of host values corresponds with application A and other set is app B, you could try using lookups or eventtypes to calculate it in search-time.

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...