I've configured inputs.conf on a universal forwarder with
[monitor:///somefile.log]
_meta = testkey::testvalue
[monitor:///anotherfile.log]
_meta = testkey::testvalue
[monitor:///yetanotherfile.log]
_meta = testkey::anothervalue
and added an entry to fields.conf on the indexer:
[testkey]
INDEXED=true
This works perfectly fine (I can use the testkey field in searches) , but the forwarder complains of a "possible typo", and I can find no reference to the "_meta" notation in the current documentation. Is this an "undocumented feature" that may disappear? Is there an alternative way to mark events for a monitored file with no other dependencies or side effects? (I'd like to keep the standard use of the source, sourcetype, and host fields, independent of the "categorization" that I implement with _meta).
... View more