This mostly sounds like a badly managed Splunk. If a 1200 line Python script is all you need to replace a Splunk instance, you weren't doing anything all that interesting or well in the first place.
> useful metadata like the IP address of the instance, the machine name, the log source, the datetime,
This should be tagged on every single log line already, and not something that you should be doing post-ingestion
The logs included things like the systemd logs and stuff that I don’t have control over. You need to be able to enrich with arbitrary metadata for it to be generally useful.
My point is more that a large portion of Splunk customers could do the same thing I did and be way better off. Obviously not their huge enterprise customers spending millions a year.
> useful metadata like the IP address of the instance, the machine name, the log source, the datetime,
This should be tagged on every single log line already, and not something that you should be doing post-ingestion