Documentation > Splunk > Admin Manual > Assign metadata to events dynamically

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Add data and configure inputs
Set up forwarding and receiving
Configure event processing
Configure event timestamping
Configure indexed field extraction
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

Assign metadata to events dynamically

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Assign metadata to events dynamically

Ths feature allows you to dynamically assign metadata to files as they are being consumed by Splunk. Use this feature to specify source type, host, or other metadata dynamically for for incoming data. This feature is useful mainly with scripted data -- either a scripted input or a pre-existing file processed by a script.

Important: Splunk does not recommend using dynamic metadata assignment with ongoing monitoring (tail) inputs. For more information about file inputs, refer to Monitor files and directories in this manual.

To use this feature, you append a single dynamic input header to your file and specify the metadata fields you want to assign values to. The metadata fields most likely to be of interest are sourcetype, host, and source. You can see the list of all available pipeline metadata fields in transforms.conf.spec.

You can use this method to assign metadata instead of editing inputs.conf, props.conf and transforms.conf.

Configure a single input file

To use this feature for an existing input file, edit the file (either manually or with a script) to add a single input header: 

      ***SPLUNK*** <metadata field>=<string> <metadata field>=<string> ...
  • Set <metadata field>=<string> to a valid metadata/value pair. You can specify mutiple pairs. For example, sourcetype=log4j host=swan.
  • Add the single header anywhere in your file. Any data following the header will be appended with the attributes and values you assign until the end of the file is reached.
  • Add your file to $SPLUNK_HOME/var/spool/splunk or any other directory being monitored by Splunk.

Configure with a script

In the more common scenario, you write a script to dynamically add an input header to your incoming data stream. Your script can also set the header dynamically based on the contents of the input file.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.5/Admin/Assignmetadatatoeventsdynamically"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!