We have updated our Terms of Service, Code of Conduct, and Addendum.

Adding Splunk Metadata to events

Options
Tike Awe
Tike Awe Posts: 1
in Stream

I have an Event with no Splunk Metadata value within the events and i am trying to add new fields such as host, index,source and sourcetype . custom fields and i tried using an eval but no luck, how do i go about this ?

Tagged:

Answers

  • Ralph Nowitzki
    Ralph Nowitzki Posts: 6
    Options

    Hi @Tike Awe ,

    What did you try so far?

    Usually you would just add an Eval Function to a Pipeline and eval e.g.:
    index → 'yourindexname'

    Values need to be single quoted.

    This would end up as a new field to the root of the event and as indexed field in Splunk.

  • Paul Dott
    Paul Dott Posts: 33 ✭✭
    Options

    You can also set metadata within the Source itself under "Fields". This can be handy if the source events are all going to the same place since you can set and forget.

Categories