Getting Data In

How to get counter values in a metrics Index?

oliverpaetzold
New Member

Hi Splunkers,

I am currently working on collecting my SNMP network performance data on Splunk 7.3.3. As SNMP polling tool I use CA Spectrum and its component SSLOGGER.

I prepare the data with some scripts to get the following output:

1577660589,router1,router1_fastethernet1-1-2.3000,0,Interface.ifHCInOctets,1826425060,CiscoASR1013,Router,Region:City:Street_No,1

In Splunk I read the file as usual, assign it to a Metrics Index and use a transforms to set the META fields and dimensions relevant for Metrics Store:

[SPECTRUM_SSLOGGER_FORMAT_METRICS]
REGEX = ^[^,]+,([^,]+),([^,]*),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+)
FORMAT = ModelName::$2 Instance::$3 metric_name::$4 _value::$5  SwitchType::$6 DeviceClass::$7 SpectrumTopology::$8 BU::$9
WRITE_META = true

host=router1
ModelName=router1_fastethernet1-1-2.3000
Instance=0
metric_name=Interface.ifHCInOctets
_value=1826425060
SwitchType=CiscoASR1013
DeviceClass=Router
SpectrumTopology=Region:City:Street_No
BU=1

This works fine so far, except that Splunk reads the _value as GAUGE (this is default type) and unfortunately I couldn't find a way to tell him that it is a COUNTER value. In the manual I can only find for a solution for StatsD, to handle GAUGE and COUNTER values by |g and |c, but unfortunately I can't find out how to do this with a CSV input.

Can anyone help me?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...