https://community.splunk.com/t5/Getting-Data-In/Converting-log-events-to-metrics-using-existing-fields/m-p/395839#M96458 <P>When metrics are involved it's more than just defining the sourcetype. Standard fields need to be defined to play well with metrics store.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.2.1/Metrics/L2MOverview">http://docs.splunk.com/Documentation/Splunk/7.2.1/Metrics/L2MOverview</A></P> Sun, 18 Nov 2018 16:52:03 GMT brent_weaver 2018-11-18T16:52:03Z https://community.splunk.com/t5/Getting-Data-In/Converting-log-events-to-metrics-using-existing-fields/m-p/395837#M96456 <P>Good morning all, I am reading docs on how to create sourcetypes for metrics but none go into how to just use fields instead of regex. I am using fluentbit to send metrics to HEC (and it works perfectly) in JSON format. </P> <P>How do I use the existing fields to rewrite the sourcetype as metrics? </P> <P>I included a screenshot of what the events look like.<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6131i760D7F5F0DCC65A1/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Sun, 18 Nov 2018 13:05:50 GMT https://community.splunk.com/t5/Getting-Data-In/Converting-log-events-to-metrics-using-existing-fields/m-p/395837#M96456 brent_weaver 2018-11-18T13:05:50Z https://community.splunk.com/t5/Getting-Data-In/Converting-log-events-to-metrics-using-existing-fields/m-p/395838#M96457 <P>Can’t you define the sourcetype when you setup the HEC token?</P> <P>Would you want to change the sourcetype there?</P> <P>There is a sourcetype rename feature in the settings drop down under fields I believe.</P> Sun, 18 Nov 2018 14:44:06 GMT https://community.splunk.com/t5/Getting-Data-In/Converting-log-events-to-metrics-using-existing-fields/m-p/395838#M96457 jkat54 2018-11-18T14:44:06Z https://community.splunk.com/t5/Getting-Data-In/Converting-log-events-to-metrics-using-existing-fields/m-p/395839#M96458 <P>When metrics are involved it's more than just defining the sourcetype. Standard fields need to be defined to play well with metrics store.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.2.1/Metrics/L2MOverview">http://docs.splunk.com/Documentation/Splunk/7.2.1/Metrics/L2MOverview</A></P> Sun, 18 Nov 2018 16:52:03 GMT https://community.splunk.com/t5/Getting-Data-In/Converting-log-events-to-metrics-using-existing-fields/m-p/395839#M96458 brent_weaver 2018-11-18T16:52:03Z https://community.splunk.com/t5/Getting-Data-In/Converting-log-events-to-metrics-using-existing-fields/m-p/395840#M96459 <P>Ok so you don’t want to “rewrite the sourcetype as metrics”...</P> <P>This was somewhere on the link you gave, does it make sense?</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.2.1/Metrics/L2MConfiguration">http://docs.splunk.com/Documentation/Splunk/7.2.1/Metrics/L2MConfiguration</A></P> Sun, 18 Nov 2018 18:54:48 GMT https://community.splunk.com/t5/Getting-Data-In/Converting-log-events-to-metrics-using-existing-fields/m-p/395840#M96459 jkat54 2018-11-18T18:54:48Z