Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I keep an event AND get a metric at index time?

daniel333
Builder
‎06-11-2019 11:03 PM

All,

I see a few examples on convert an event received into a metric. Is there a way to say keep an apache log and create a metric of the stratus?

thanks
-Daniel

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎06-12-2019 01:33 AM

Hi,

You can convert existing event data into metric using mcollect command so in your case you need to schedule search which will run at regular interval and index data into metric index. Please refer documentation on https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Mcollect

Using this approach it will keep your apache logs in event index and it will ingest metric data in metric index, only drawback is you'll not able to see real-time data in metric event because it is purely depend on schedule search frequency.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎06-12-2019 01:33 AM

Hi,

You can convert existing event data into metric using mcollect command so in your case you need to schedule search which will run at regular interval and index data into metric index. Please refer documentation on https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Mcollect

Using this approach it will keep your apache logs in event index and it will ingest metric data in metric index, only drawback is you'll not able to see real-time data in metric event because it is purely depend on schedule search frequency.

0 Karma
Reply
Solved! Jump to solution

daniel333
Builder
‎06-12-2019 07:45 AM

Yeah, that might work. I'll talk to the customer to see if a 15 min backfill/delay is acceptable. Thanks for the reply!

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...