This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
Dynamically assign metadata to files as they are being consumed by Splunk. Use this feature to specify source type, host, or other metadata dynamically for for incoming data.
Important: This feature is supported for use with batch (one time upload) inputs only. Splunk does not recommend using dynamic metadata assignment with ongoing monitoring (tail) inputs. For more information about file inputs, refer to Monitor files and directories in this manual.
Append a single dynamic input header to your file and specify the metadata fields you'd like. You can see the available pipeline metadata fields in transforms.conf.spec.
You can use this method to assign metadata instead of editing inputs.conf, props.conf and transforms.conf.
Edit a data file to add a single dynamic input header.
***SPLUNK*** $ATTR1=$VAL1 $ATTR2=$VAL2 etc.
$ATTR1=$VAL1 to the values you wish. For example, set sourcetype=log4j host=swan.
$SPLUNK_HOME/var/spool/splunk or any other directory being monitored by Splunk.
Write a script to automatically add a dynamic input header to your incoming data streams. Your script can also set attributes dynamically based on the contents of your file.