We're trying to find a way to have the universal forwarder send data to the indexer essentially pre-marked with a small number of custom fields (or the like) that we can later search on. For example, a particular computer might be from project-X and be in a environment of test or prod or development. Since VMs come and go, we can't do any persistent mapping of which computer has these added characteristics (host-n.n.n.n might be dev today, prod tomorrow), but the 'data' is persistent.
I stumbled across the _meta construct in inputs.conf, which works well enough for 'one' custom field. Just like specifying which index to use, I also specify `_meta = somename::value` in inputs.conf.
The question I have is, how could I have 'multiple' such added fields specified by the universal forwarder? I know there is folklore saying doing this on the forwarder side is somehow evil or something, but we're talking about adding under a half-dozen custom fields (?) for all the events coming from the forwarder computer.
Any suggestions other than pointers to the impossibly unreadable/abstract/no-examples docs which I've wasted tens of hours on already?
↧
How to configure a universal forwarder to add multiple fields to events being forwarded via _meta?
↧