Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Routing Metric events to null queue

markhvesta
Path Finder
‎01-18-2022 11:52 AM

I am trying to route metric type events to a null queue to avoid indexing them but they are still coming through.  Any ideas if there is a special way to do this?

 

props.conf:

[azr_proda_metrics]
TRANSFORMS-set= kubenullmetrics

 

transforms.conf:

[kubenullmetrics]
REGEX=metric_name=kube.cluster.cpu.request| metric_name=kube.cluster.memory.request

DEST_KEY=queue
FORMAT=nullQueue

Labels (2)
Labels
0 Karma
Reply

psla
Explorer
‎09-02-2024 04:40 AM

Any ideas how it can be achieved?

0 Karma
Reply

DanielPi
Moderator
Moderator
‎09-02-2024 07:03 AM

Hi @psla ,

I’m a Community Moderator in the Splunk Community.

This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you! 

0 Karma
Reply

psla
Explorer
‎09-03-2024 12:19 AM

I think I got the attention, because it's on the top on the list.

But why should I create another duplicate question? This one describes exactly what I need, and it's still not resolved. Also, guidelines say: "If no one else has asked your question, navigate to https://community.splunk.com  and click Ask a Question, next to the search bar."

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-03-2024 03:19 AM

Maybe so that you can show _your_ config, _your_ data and say what exactly does or doesn't work in your case. 😉

0 Karma
Reply

psla
Explorer
‎09-03-2024 03:34 AM

I'm referring to the original post.  @markhvesta said that his transforms are not working for metrics data. I have the same issue (metric names are of course different).  So, configuration is already here, I don't have to paste my configuration. Regex is working (tested on regex101).

And the main question in this post is "Any ideas if there is a special way to do this [for metrics data]?"

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-03-2024 04:04 AM

So everything is the same except the metrics are different, the data is different and generally we don't know what and why "doesn't work", right?

But seriously. The data is important here as well as what your transform looks like.

Look at the Masa diagrams https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platfor...

I haven't worked with metrics much but I'd say metric schema is invoked after transforms so you need to filter your data by raw event contents.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...