Hi everyone,
I am using Splunk Enterprise 7.0.8.5 with the Universal Forwarder 6.5.2/6.5.3 on multiple hosts running Ubuntu 14.04 LTS or 16.04 LTS, and I am trying to find a way to tie the versions of specific debians installed on these hosts to the generated log events for specific sourcetypes.
Example: assuming I configured Splunk so that all log lines for sourcetype mysourcetype are generated by programs installed by the mydebian debian package, I'd like to know for each log event on mysourcetype which version of the mydebian package was installed on the host when this log event was created. This would help me among other things to correlate the occurrences of various events to the versions of software installed on the hosts ("Did failure X occur more on v2.3 than on v1.5?")
Note that I only need to tie log events <> package versions on splunkcloud when doing searches there, I don't technically need this association at index time on the hosts.
With a bit of research on these forums I found the _meta 'tag' for inputs.conf that I can use to attach key/value pairs to log events in the form _meta = field1::foo field2::bar ( https://answers.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forwarder.html ), but 1) I understand that tying these metadata directly on the hosts (index time) would increase the size of every ingested message and most of the time ingest the same information (these package versions might change every few days at most), 2) I think I understand how _meta can be used with extracted fields, but not how I would use it with, say, the output of a shell command ( dpkg [...] )
Retrieving these package versions and the timestamps of when they changed is fairly easy to do with our splunk set up, so I am thinking of an alternative to _meta where I would create some temporal look up table (easy) in the form:
mydebian_installation_time,host,mydebian_version_installed
2018-11-13 13:10:05.908,host1,2.3.4
2018-12-18 19:26:45.000,host1,2.3.5
2018-12-31 21:03:03.000,host2,1.2
[...]
And then tie the corresponding package version to each log events in mysourcetype . Ideally I'd only have to do this association once, and maybe update it periodically, but not with every single search. I haven't found how to do this last part though (tying info from a temporal look up table to log events), so I am looking for pointers there too.
Thanks
... View more