You can use REST API Modular input for this, with token substitution:
https://splunkbase.splunk.com/app/1546/#/details
We are also facing challenges using this mechanism, but i have seen it work so i'm sure this is the way to go. If someone has more details on their implementation, please let us know.
... View more