I would also like to be able to attach meta-data to log events sent via the HEC.
My use case is logs from Docker containers. I want to pass through log-lines from each container, intact, and optionally specify a "source type" to tell Splunk how to parse them (which rules out transforming the lines on their way to Splunk). But, I also want to capture metadata such as container-name, e.g.
{
"time": ...,
"source": ...,
"event": "192.168.0.1 fnord:/api/blah - 42.3 admin yup garbage",
"sourcetype": "my-custom-reverse-proxy-log-format",
"meta": {
"stack": "myapp-demo",
"container": {
"name": "revproxy",
"id": "4b6771ca97e3"
}
}
}
Is this possible?
... View more