Hi,
I'd like to store the data collected by the "Splunk Add-on for Microsoft SQL Server" in a metrics index. Initially I installed the TA as as described and it collected data to a normal index with no problems. So I updated it's inputs.conf file to point to the metrics index which failed because the data wasn't structured correctly. So after a little bit of Googling I crafted a props and transforms files to change the counter field to metric_name (mainly based on this answer: Sending-Perfmon-data-to-metrics-index ) but it's still not working.
In inputs.conf file looks like so (I'm just showing one measure as an example):
[perfmon://sqlserverhost:processor]
object = Processor
counters = % Processor Time
instances = _Total
interval = 60
showZeroValue = 1
mode = single
disabled = 0
index = em_metrics
sourcetype = PerfmonMetrics:sqlserverhost:processor
Props.conf
[PerfmonMetrics:sqlserverhost:processor]
TRANSFORMS-metric = sqlserverhost_metric
TRANSFORMS-value = sqlserverhost_value
Transforms.conf
[sqlserverhost_metric]
REGEX = collection=(.+)[\s\S]*counter=(.+)[\s\S]*instance=(.+)
FORMAT = metric_name::$1.$3.$2
WRITE_META = true
[sqlserverhost_value]
REGEX = Value=(.+)
FORMAT = metric_value::$1
WRITE_META = true
All three of these files are on the Universal Forwarder on the MSSQL host I'd like to monitor.
The architecture of the Splunk instance is Univeral Forwarder on the host, to Heavy Forwarder, then via Cribl (which allows me to see the transforms are not working) to the Indexer/Search Head.
What am I doing wrong here?
Thanks
Eddie
Hi Greg,
Thanks for your response. I haven't really got this working still (I have a solution using Cribl to change the data later on) - I'm still struggling to get access to the heavy forwarder. However I agreed with your advice that the the props and transforms files need to go on the Heavy Forwarder.
When I finally get access I'll give it a try.
Thanks
Hey eddieddieddie,
Not sure if you've resolved this already but your props.conf and transforms.conf need to be on your HF as well for the transforms you're expecting to work.
https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
Hope this helps (or that you had already resolve this).
Thanks,
Greg