Assign default fields dynamically

Assign default fields dynamically

This feature allows you to dynamically assign default fields, also known as "metadata", to files as they are being consumed by Splunk. Use this feature to specify source type, host, or source dynamically for incoming data. This feature is useful mainly with scripted data -- either a scripted input or an existing file processed by a script.

Important: Splunk does not recommend using dynamic metadata assignment with ongoing file monitoring (tail) inputs. For more information about file inputs, refer to Monitor files and directories in this manual.

To use this feature, you append a single dynamic input header to your file and specify the metadata fields you want to assign values to. The available metadata fields are sourcetype, host, and source.

You can use this method to assign metadata instead of editing inputs.conf, props.conf, and transforms.conf.

Configure a single input file

To use this feature for an existing input file, edit the file (either manually or with a script) to add a single input header:

      ***SPLUNK*** <metadata field>=<string> <metadata field>=<string> ...

• Set <metadata field>=<string> to a valid metadata/value pair. You can specify multiple pairs. For example, sourcetype=log4j host=swan.
• Add the single header anywhere in your file. Any data following the header will be appended with the attributes and values you assign until the end of the file is reached.
• Add your file to $SPLUNK_HOME/var/spool/splunk or any other directory being monitored by Splunk.

Configure with a script

In the more common scenario, you write a script to dynamically add an input header to your incoming data stream. Your script can also set the header dynamically based on the contents of the input file.

• Was this topic useful?
• Post a comment