Getting Data In

How to get counter values in a metrics Index?

oliverpaetzold
New Member

Hi Splunkers,

I am currently working on collecting my SNMP network performance data on Splunk 7.3.3. As SNMP polling tool I use CA Spectrum and its component SSLOGGER.

I prepare the data with some scripts to get the following output:

1577660589,router1,router1_fastethernet1-1-2.3000,0,Interface.ifHCInOctets,1826425060,CiscoASR1013,Router,Region:City:Street_No,1

In Splunk I read the file as usual, assign it to a Metrics Index and use a transforms to set the META fields and dimensions relevant for Metrics Store:

[SPECTRUM_SSLOGGER_FORMAT_METRICS]
REGEX = ^[^,]+,([^,]+),([^,]*),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+)
FORMAT = ModelName::$2 Instance::$3 metric_name::$4 _value::$5  SwitchType::$6 DeviceClass::$7 SpectrumTopology::$8 BU::$9
WRITE_META = true

host=router1
ModelName=router1_fastethernet1-1-2.3000
Instance=0
metric_name=Interface.ifHCInOctets
_value=1826425060
SwitchType=CiscoASR1013
DeviceClass=Router
SpectrumTopology=Region:City:Street_No
BU=1

This works fine so far, except that Splunk reads the _value as GAUGE (this is default type) and unfortunately I couldn't find a way to tell him that it is a COUNTER value. In the manual I can only find for a solution for StatsD, to handle GAUGE and COUNTER values by |g and |c, but unfortunately I can't find out how to do this with a CSV input.

Can anyone help me?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...