These common bits of metadata are used in the parsing stage to pick the appropriate stanzas in props.conf:
- host: By default, host will be set to the hostname of the machine producing the event. This is usually the correct value, but it can be overridden when appropriate.
- source: This field is usually set to the path, file, or network port that an event came from, but this value can be hardcoded.
- sourcetype: This field is almost always set in inputs.conf and is the primary field to determine which set of parsing rules in props.conf to apply to these events.