For Splunk team,
I think a better/easier way for us to add indexed "tags" (i.e. additional fields) to all events of a certain sourcetype/source, or even globally, (all events sent from this host), from a Universal Forwarder is something which needs first class support and documentation. Seems like most folks are having to hack on _meta (and then on fields.conf and possibly elsewhere).
My use case for example. We run hosts in AWS EC2 and we have several tags on our instances which identify things like server-type (api, worker, etc), environment (prod, staging, dev, etc), and additionally things like instance_id, aws region, etc. Would be awesome if we can either provide this tags from a file. ( What I'm currently doing is running a cloud-init script at start to assemble all of the tags and inject them into the _meta field on my inputs.conf of forwarder. Also, I had to deploy a systemd override/drop-in config for splunkd to ensure splunk forwarder is started only after my cloud-final, as I'm using cloud-init per-instance start scripts for this instance-start-time configuration hack, but YMMV for other folks.)
... View more