Splunk Tier Tagging

Do you have a large amount of HF tiers or data coming in through other mechanisms? This will help troubleshoot where that data was "cooked" by Splunk.

We will build a simple Splunk add-on app that you can deploy on Heavy Forwarder's and it will simply tag the Splunk data with the tagging value.

# Let's create our initial app
mkdir -p TA_custom_tagging/local

Now let's hop into our new app local directory and create the needed files

# props.conf
[default]
TRANSFORMS-custom_tagging = custom_tagging

# transforms.conf
[custom_tagging]
# Enabling this so we can search on our new indexed field
WRITE_META = true
# Using 'INGEST_EVAL' to take advantage of Splunk metadata during transforms
# Keep in mind that 'splunk_server' is a variable for the server name defined in 'server.conf' under the '[general]' stanza
# Feel free to use whatever 'tag' you want to use instead of 'custom_tagging' below
INGEST_EVAL = custom_tagging=(splunk_server)

Hope this helps and thanks for dropping by!
- Adam