Assign default fields dynamically
This feature lets you dynamically assign default fields, also known as "metadata", to events as they are being consumed by Splunk software. Use this feature to specify source type, host, or source dynamically for incoming data. This feature is useful mainly with scripted data -- either a scripted input or an existing file processed by a script.
Do not use dynamic metadata assignment with file monitoring (tail) inputs. For more information about file inputs, see Monitor files and directories in this manual.
Note: The modular inputs feature has superseded this ***SPLUNK***
header feature. If you need dynamically-generated values for host, source and sourcetype, consider writing a modular input.
To use this feature, you append a single dynamic input header to your file and specify the metadata fields you want to assign values to. The available metadata fields are sourcetype, host, and source.
You can use this method to assign metadata instead of editing inputs.conf, props.conf, and transforms.conf.
Configure a single input file
To use this feature for an existing input file, edit the file (either manually or with a script) to add a single input header:
***SPLUNK*** <metadata field>=<string> <metadata field>=<string> ...
1. Set <metadata field>=<string>
to a valid metadata/value pair. You can specify multiple pairs. For example, sourcetype=log4j host=swan
.
2. Add the single header anywhere in your file. Any data following the header will be appended with the attributes and values you assign until the end of the file is reached.
3. Add your file to $SPLUNK_HOME/var/spool/splunk
or any other directory being monitored by Splunk.
Configure with a script
In the more common scenario, you write a script to dynamically add an input header to your incoming data stream. Your script can also set the header dynamically based on the contents of the input file.
About default fields (host, source, sourcetype, and more) | Create custom fields at index time |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!