https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dataset-within-a-log-index-to-a-metrics-index/m-p/627115#M107671 <P>Yes, that can be done using props and transforms.&nbsp; I won't get into it here, but it's documented at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.3/Metrics/L2MConfiguration" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.3/Metrics/L2MConfiguration</A></P> Fri, 13 Jan 2023 21:32:59 GMT richgalloway 2023-01-13T21:32:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dataset-within-a-log-index-to-a-metrics-index/m-p/627100#M107667 <P>Hello,</P> <P>I have an existing high volume index and have discovered a chunk of event logs within the index that would be a great canidate to convert to metrics.&nbsp; Can you filter these type of events to send to the metrics index and then convert the events to metrics at index time all using props/transforms?</P> <P>I have this props.conf&nbsp;</P> <P>[my_highvol_sourcetype]</P> <P>TRANSFORMS-routetoIndex = route_to_metrics_index</P> <P>Transforms.conf</P> <P>[route_to_metrics_index]</P> <P>REGEX = cpuUtilization\=</P> <P>DEST_KEY=_MetaData:Index</P> <P>FORMAT = my_metrics_index</P> <P>But now what sourcetype do I use to apply the event log to metrics conversion settings?&nbsp; Should I filter this dataset to a new sourcetype within my high volume index so I can apply my event log to metrics to all events matching the new sourcetype then filter to the metrics index?</P> <P>Any thoughts would be helpful to see if something like this is possible to do using props/transforms.</P> Mon, 16 Jan 2023 19:46:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dataset-within-a-log-index-to-a-metrics-index/m-p/627100#M107667 johnward4 2023-01-16T19:46:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dataset-within-a-log-index-to-a-metrics-index/m-p/627115#M107671 <P>Yes, that can be done using props and transforms.&nbsp; I won't get into it here, but it's documented at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.3/Metrics/L2MConfiguration" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.3/Metrics/L2MConfiguration</A></P> Fri, 13 Jan 2023 21:32:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dataset-within-a-log-index-to-a-metrics-index/m-p/627115#M107671 richgalloway 2023-01-13T21:32:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dataset-within-a-log-index-to-a-metrics-index/m-p/627117#M107672 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;I have the conversion part configured but what I'm having trouble with is knowing what [sourcetype] to put the props.conf &amp; transforms.conf under since I'm filtering from an existing index and base sourcetype.&nbsp; Most of the main index data isn't not a canidate to convert from log event to metrics.</P><P>Normally I would use props and transforms to filter via REGEX to rename the matching data to set it to a new sourcetype.&nbsp; In this case I'm trying to filter my REGEX match for a specific type of dataset, rename the sourcetype if needed, convert the field values to metrics and send this to the new metrics index.</P> Fri, 13 Jan 2023 21:43:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dataset-within-a-log-index-to-a-metrics-index/m-p/627117#M107672 johnward4 2023-01-13T21:43:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dataset-within-a-log-index-to-a-metrics-index/m-p/627361#M107703 <P>I'm not sure how to proceed as this is an unusual use case.</P><P>This seems like a good use for Cribl, however.&nbsp; See <A href="https://cribl.io" target="_blank">https://cribl.io</A></P> Tue, 17 Jan 2023 14:24:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dataset-within-a-log-index-to-a-metrics-index/m-p/627361#M107703 richgalloway 2023-01-17T14:24:18Z