This has been asked before, and the questions seems to die. So here I am with a slightly different use case/phrasing.
Dearest Splunk Devs, please let me use environmental variables in my configs.
Issue:
Current situaiton:
transforms.conf
[addmeta]
REGEX = .
FORMAT = collector::$HOSTNAME
WRITE_META = true
props.conf
[generic_single_line]
TRANSFORMS-addmeta = addmeta
This results in the unfortunate log:
4/6/22
1:01:17.000 PM
testing my props.conf with a simple log
collector = $HOSTNAME
sourcetype = generic_single_line
But what SHOULD be happening:
4/6/22
1:01:17.000 PM
testing my props.conf with a simple log
collector = EventCollect01.domain.com
sourcetype = generic_single_line
What can I do to pull some sort of internal variable instead of hardcoding the host?
I have this exact issue too, we have hundreds of UFs managed with CICD and want a way to stamp where logs are ingested from... how do we do this?
FYI -- here is my suggestion I posted.
There are only a few instances where environment variables are honored and props.conf is not among them.
Go to https://ideas.splunk.com to request it.