I have got a question about using _meta fields in the /opt/splunkforwarder/etc/system/local/inputs.conf
of a Splunk Universal Forwarder (deployed on an AWS EC2 Instance)
In our inputs.conf of the Splunk Universal Forwarder in developement we use one _meta field, vendor , e.g.
[default]
host = $decideOnStartup
_meta = vendor::devops
In our organization the Indexers and Search Heads are managed by a dedicated tooling team. I did NOT requested the tooling team to update The fields.conf on the Search Head with e.g. the following statements
[vendor]
INDEXED=true;
If I execute the following search in the Search & Reporting Splunk App
index=os host="ip-10-106-152-169.aws.misin.zbi"
I see in Selected Fields the following fields, host , source , sourcetype and vendor . The default fields host, source and sourcetype are index time extracted fields, but I don’t understand how the vendor field is extracted by Splunk because the fields.conf on the Search Head was not updated yet.
Can anybody explain why the vendor _meta field is automatically extracted when I execute the search index=os host="ip-10-106-152-169.aws.misin.zbi", without updating the fields.conf in the Search Head.
I also noticed that the following search
index=os host="ip-10-106-152-169.aws.misin.zbi” vendor=devops
gives no result, but if I change the search to this
index=os host="ip-10-106-152-169.aws.misin.zbi” vendor::devops
I get the same result set as the search index=os host="ip-10-106-152-169.aws.misin.zbi"
... View more