Adding Splunk Metadata to events

Tike Awe · October 13

I have an Event with no Splunk Metadata value within the events and i am trying to add new fields such as host, index,source and sourcetype . custom fields and i tried using an eval but no luck, how do i go about this ?

Ralph Nowitzki · October 16

Hi @Tike Awe ,

What did you try so far?

Usually you would just add an Eval Function to a Pipeline and eval e.g.:
index → 'yourindexname'

Values need to be single quoted.

This would end up as a new field to the root of the event and as indexed field in Splunk.

Paul Dott · October 17

You can also set metadata within the Source itself under "Fields". This can be handy if the source events are all going to the same place since you can set and forget.

Adding Splunk Metadata to events

Answers

Categories