This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Dynamically assign metadata to files as they are being consumed by Splunk. Append the dynamic input header to your file and set any metadata fields you'd like. You can see the available pipeline metadata fields in transforms.conf.spec.
Use this feature for any incoming data streams that might have different sourcetypes, hosts or other metadata that you would like to indicate dynamically. Set any metadata in this manner, as opposed to using inputs.conf, props.conf and transforms.conf.
Edit any file to add the dynamic input header.
***SPLUNK*** $ATTR1=$VAL1 $ATTR2=$VAL2 etc
$ATTR1=$VAL1 to the values you wish.
sourcetype=log4j host=swan.
$SPLUNK_HOME/var/spool/splunk or any other directory being monitored by Splunk.
Write a script to automatically add the dynamic input header to your incoming data streams. Your script can also set attributes dynamically based on the contents of your file.
For example, Splunk's report caching script takes an index as a variable and automatically assigns that index to incoming data streams.