I use splunk to analyze log data associated with a support ticket. When I import data into splunk from a log tarball, I would like to add a field to all events indicating the original tar file it was extracted from. Like this: filename = mylogtarball.tgz
I want this field applied to all events that result from the tarball extraction and import. But of course, when I uploaded anotherlogdir.tgz, I want the filename field for those events to show the correct value there.
Any thoughts on how I could make this happen?