metaevents.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
metaevents.conf
metaevents.conf sets preferences for the creation of metaevents.
metaevents.conf.spec
# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0
# PLEASE NOTE: THIS FILE IS OPTIONAL.
#
# You can optionally add stanzas to {($SPLUNK_HOME/etc/bundles/local/metaevents.conf}} to set a
# preamble message for each metaevent.
#
# This file may have zero or more stanzas. The stanza names establish a namespace
# for different metaevent types. A metaevent type is defined as the prefix to ::
# in the cluster keys for the metaevent. For example, if the cluster identifier for
# a metaevent is "qid::...", the stanza [qid] would contain its settings.
#
# Map the prefix of the cluster key (FORMAT = $YOUR_FIELD_NAME) from the metaevents stanza you have
# created in transforms.conf to your preamble:
[$YOUR_FIELD_NAME]
PREAMBLE = $whatever text string you want to append to the beginning of your metaevents stream.
PREAMBLE = <string>
* This literal string is printed at the top of each metaevent.
metaevents.conf.example
# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0
#
# You can optionally add stanzas to {($SPLUNK_HOME/etc/bundles/local/metaevents.conf}} to set a
# preamble message for each metaevent.
# Map the prefix of the cluster key (FORMAT = $YOUR_FIELD_NAME) from the metaevents stanza you have
# created in transforms.conf to your preamble:
# Create a preamble for the cluster key FORMAT = qid.
[qid]
PREAMBLE = The following is a mail transaction generated by Splunk.
# Create a preamble for the cluster key FORMAT = ip.
[ip]
PREAMBLE = The following is a series of IP address transactions.
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.