- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk_TA_windows - Perfmon monitors - Seems the a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are planning to upgrade our Splunk_TA_windows app (8.5.0 atm) to the latest version, and during the deep-dive into props and transforms I noticed all these transforms being called from Perfmon sourcetypes. Example:
[Perfmon:Processor]
EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
FIELDALIAS-cpu_instance = instance AS cpu_instance
EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
These transforms seem to extract data and store them in meta fields, like this one:
[value_for_perfmon_metrics_store]
REGEX = Value=\"?([^\"\r\n]*[^\"\s])
FORMAT = _value::$1
WRITE_META = true
We have untill now indexed Perfmon data to event indexes - Will these transforms lead to unneccessary data storage on the indexer cluster?
Should we comment out the transforms untill we're ready to move Perfmon data over to metrics indexes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It shouldn't. The transforms is just creating fields for you to see using WRITE_META = true during index time as it helps to automatically write the regex to the metadata. Just a proper way of doing field extractions for you during index time so that you won't have to create field extractions at search time. This doesn't mean that it will route the data to _metrics index.
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It shouldn't. The transforms is just creating fields for you to see using WRITE_META = true during index time as it helps to automatically write the regex to the metadata. Just a proper way of doing field extractions for you during index time so that you won't have to create field extractions at search time. This doesn't mean that it will route the data to _metrics index.
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
