Getting Data In

MSSQL TA and putting it's data into a metrics index

eddieddieddie
Path Finder

Hi,

I'd like to store the data collected by the "Splunk Add-on for Microsoft SQL Server" in a metrics index. Initially I installed the TA as as described and it collected data to a normal index with no problems. So I updated it's inputs.conf file to point to the metrics index which failed because the data wasn't structured correctly. So after a little bit of Googling I crafted a props and transforms files to change the counter field to metric_name (mainly based on this answer: Sending-Perfmon-data-to-metrics-index ) but it's still not working.

In inputs.conf file looks like so (I'm just showing one measure as an example):

[perfmon://sqlserverhost:processor]
object = Processor
counters = % Processor Time
instances = _Total
interval = 60
showZeroValue = 1
mode = single
disabled = 0
index = em_metrics
sourcetype = PerfmonMetrics:sqlserverhost:processor

Props.conf

[PerfmonMetrics:sqlserverhost:processor]
TRANSFORMS-metric = sqlserverhost_metric
TRANSFORMS-value = sqlserverhost_value

Transforms.conf

[sqlserverhost_metric]
REGEX = collection=(.+)[\s\S]*counter=(.+)[\s\S]*instance=(.+)
FORMAT = metric_name::$1.$3.$2
WRITE_META = true

[sqlserverhost_value]
REGEX = Value=(.+)
FORMAT = metric_value::$1
WRITE_META = true

All three of these files are on the Universal Forwarder on the MSSQL host I'd like to monitor.

The architecture of the Splunk instance is Univeral Forwarder on the host, to Heavy Forwarder, then via Cribl (which allows me to see the transforms are not working) to the Indexer/Search Head.

What am I doing wrong here?
Thanks
Eddie

0 Karma

eddieddieddie
Path Finder

Hi Greg,

Thanks for your response. I haven't really got this working still (I have a solution using Cribl to change the data later on) - I'm still struggling to get access to the heavy forwarder.  However I agreed with your advice  that the the props and transforms files need to go on the Heavy Forwarder.

When I finally get access I'll give it a try.

Thanks

Greg_Becker
Engager

Hey eddieddieddie,

Not sure if you've resolved this already but your props.conf and transforms.conf need to be on your HF as well for the transforms you're expecting to work.

https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

Hope this helps (or that you had already resolve this).

Thanks,
Greg

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...