Getting Data In

Which index and sourcetype to choose for the following KPI data?

Contributor

Hello,

I have the KPI Data in the file and it is organized as follows (header line and the csv KPIs):

host;port;time;indexserverCpu;indexserverCpuSys;indexserverMemUsed;indexserverMemLimit;indexserverHandles;indexserverPingtime;indexserverSwapIn;sqlConnections;internalConnections;externalConnections;idleConnections;sqlTransactions;internalTransactions;externalTransactions;userTransactions;sqlBlockedTrans;sqlStatements;cidRange;mvccNum;pendingRequestCount;acquiredRecordLocks;searchCount;indexingCount;mergeCount;unloadCount;indexserverThreads;waitingThreads;totalThreads;activeSqlExecutors;waitingSqlExecutors;totalSqlExecutors;dataWriteSize;dataWriteTime;logWriteSize;logWriteTime;dataReadSize;dataReadTime;logReadSize;logReadTime;dataBackupWriteSize;dataBackupWriteTime;logBackupWriteSize;logBackupWriteTime;mutexCollisionCount;readWriteLockCollisionCount;admissinControlAdmitCount;admissionControlRejectCount;admissionControlWaitingRequests;admissionControlWaitTime;cpuUsed;memoryResident;memoryTotalResident;memoryUsed;memoryLimit;memorySize;diskUsed;diskSize;networkIn;networkOut;swapIn;swapOut
    spwdfvml2218;;1540422599.823;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;1;736463052800;777375464352;296470573347;2094172311552;2164554412032;252985102336;5493801357312;4081894;3299091;0;0
    ;30201;;0;0;7548396670;1805250134043;117;8;0;11;11;0;11;0;0;0;0;0;37;0;0;0;0;35;0;0;0;2;1;135;0;0;5;0;0;16384;1843;0;0;0;0;0;0;0;0;15;0;0;0;0;0
    ;30240;;1;;>277751331514;>277616116426;>493;>492;;>378;;>378;>377;>231;;;>231;;>3416;2;;;;0;;;;;0;>528;1;;>123;>1712128;>162719;>798720;>54035;;;;;;;;;>636;;>3721;;;
    ;30243;;0;;<280386126386;<280385128450;77;4;;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;;;;;-1;-1;-1;-1;-1;-1;0;0;0;0;;;;;;;;;0;;0;;;
    ;30246;;;;<2047366413;<2047366845;>107;;;0;0;0;0;0;0;0;0;0;0;5;0;0;0;;;;;1;0;192;0;0;128;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;;;;;;
    ;;>10.521;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0;;>364544;<2466312;;;;;>355032;>892244;;

What would be the best way to ingest this KPI data?

Should I forward it to the index I have (for all other type of logs) and define the "sourcetype=csv" in order that Splunk recognizes the fields?

Or, should I better create a separate metrics index for that? If yes, what would be the source type then? The metrics_csv?
Would the format above be properly recognized by metrics_csv and the fields correctly extracted?

Kind Regards,

Kamil

0 Karma