Hi Splunkers,

I am currently working on collecting my SNMP network performance data on Splunk 7.3.3. As SNMP polling tool I use CA Spectrum and its component SSLOGGER.

I prepare the data with some scripts to get the following output:

1577660589,router1,router1_fastethernet1-1-2.3000,0,Interface.ifHCInOctets,1826425060,CiscoASR1013,Router,Region:City:Street_No,1

In Splunk I read the file as usual, assign it to a Metrics Index and use a transforms to set the META fields and dimensions relevant for Metrics Store:

[SPECTRUM_SSLOGGER_FORMAT_METRICS]
REGEX = ^[^,]+,([^,]+),([^,]*),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+)
FORMAT = ModelName::$2 Instance::$3 metric_name::$4 _value::$5  SwitchType::$6 DeviceClass::$7 SpectrumTopology::$8 BU::$9
WRITE_META = true

host=router1
ModelName=router1_fastethernet1-1-2.3000
Instance=0
metric_name=Interface.ifHCInOctets
_value=1826425060
SwitchType=CiscoASR1013
DeviceClass=Router
SpectrumTopology=Region:City:Street_No
BU=1

This works fine so far, except that Splunk reads the _value as GAUGE (this is default type) and unfortunately I couldn't find a way to tell him that it is a COUNTER value. In the manual I can only find for a solution for StatsD, to handle GAUGE and COUNTER values by |g and |c, but unfortunately I can't find out how to do this with a CSV input.

Can anyone help me?