All Apps and Add-ons

Splunk_TA_windows - Perfmon monitors - Seems the app by default indexes metrics data as well as event data by default?

erlingen
Engager

We are planning to upgrade our Splunk_TA_windows app (8.5.0 atm) to the latest version, and during the deep-dive into props and transforms I noticed all these transforms being called from Perfmon sourcetypes. Example:

 

[Perfmon:Processor]
EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
FIELDALIAS-cpu_instance = instance AS cpu_instance
EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())

## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())

FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src

TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"

 

These transforms seem to extract data and store them in meta fields, like this one:

 

[value_for_perfmon_metrics_store]
REGEX = Value=\"?([^\"\r\n]*[^\"\s])
FORMAT = _value::$1
WRITE_META = true

 

 

 We have untill now indexed Perfmon data to event indexes - Will these transforms lead to unneccessary data storage on the indexer cluster?
Should we comment out the transforms untill we're ready to move Perfmon data over to metrics indexes?

Labels (1)
0 Karma
1 Solution

shivanshu1593
Builder

It shouldn't. The transforms is just creating fields for you to see using WRITE_META = true during index time as it helps to automatically write the regex to the metadata. Just a proper way of doing field extractions for you during index time so that you won't have to create field extractions at search time. This doesn't mean that it will route the data to _metrics index.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

shivanshu1593
Builder

It shouldn't. The transforms is just creating fields for you to see using WRITE_META = true during index time as it helps to automatically write the regex to the metadata. Just a proper way of doing field extractions for you during index time so that you won't have to create field extractions at search time. This doesn't mean that it will route the data to _metrics index.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...