Splunk queries: filter by _meta fields

Question

Context

I have a bunch of application servers I would like monitor using Splunk. Servers on every environment run the same applications. Looking for a way to tag this information in order to easily disentangle stage servers from prod server in my dashboards, I came across this trick while reading forums.

inputs.conf of forwarders on production machines

[default]
_meta = env::prod

inputs.conf of forwarders on stage machines

[default]
_meta = env::stage

With this trick, I end up with a env field in my parsed data.

index=* | stats count by env

| env    | count |
|:------:|:-----:|
| stage  |2415686|
| prod   |55677  |

Issue

I can't filter on env

index=* logLevel="ERROR" projectName != "null" env="prod" | stats count(_raw) by projectName

Why is that so?

usually this is accomplished by looking at the host - presuming you have a naming convention that indicates different environments, it's great — warren
Yeah but I am in the case of multiple loaded balanced systems. A nice way to select every machines from the same environment is a plus — zar3bski

zar3bski zar3bski · Accepted Answer · 2020-08-11T12:43:08

Ok, in my case, env was merely a tag (which are not indexed by default). In order to index them, you need to explicitly ask for it in fields.conf

[env]
INDEXED = true

Splunk queries: filter by _meta fields

Context

Issue

1 Answers