Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I merge _meta from several inputs.conf files

cwacha
Path Finder
‎06-06-2011 02:47 AM

I use the universal forwarders ability to enrich the transported files with _meta keywords as follows:

./etc/apps/myapp/local/inputs.conf

[monitor:///myfile]
  disabled = false
  _meta = key1::value key2::value

I also have global key/value pairs for _meta that I would like to add automatically to all monitor stanzas. They are defined in

./system/local/inputs.conf

[default]
  _meta = globalkey::value

The globalkey keyword gets added to all monitor stanzas that do not define a specific _meta keyword. I would like to have the globalkey keyword as well as the additionally defined key/value pairs in the apps inputs.conf defined. Unfortunately the _meta field in apps/../inputs.conf overwrites the system/local/inputs.conf _meta entry.

Is it possible to append the global keywords (defined in ./system/local/) to the defined _meta tag (defined in ./apps/local/inputs.conf) ?.

For example with a configuration as follows using $_meta:

./system/local/inputs.conf

[default]
  _meta = globalkey::value

./etc/apps/myapp/local/inputs.conf

[monitor:///myfile]
  disabled = false
  _meta = $_meta key1::value key2::value
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-06-2011 08:29 AM

I don't think it is possible to merge entries from inputs.conf in the manner your describing here. The way precedence works is to take the stanza and do merging based on the settings. The setting with the highest priority is what is taken into account. Other settings will be ignored.

You can probably do this with a props/transforms configuration on the stanzas where you want this to occur.

Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-07-2011 07:56 AM

The universal forwarder can't do much in the way of parsing, but you can do it at the indexer that the UF is reporting into without any problem.

0 Karma
Reply

cwacha
Path Finder
‎06-07-2011 01:19 AM

As fas as I know props/transforms cannot be used with the universal forwarder...

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...