Solved: Is it possible to extract dimensions from the sour...

krdo · ‎05-07-2018

We already use a custom CSV formt to report application metrics. The format is very similar to the one introduced in Splunk 7.
But while Splunk extracts dimensions from the CSV lines, we extract some of the dimenstions from the source field.
According to the docs something like that is possible for nearly all other methods of importing metrics, but not for CSV files.

Is there any way I can achieve this without modifying the CSV files (e.g. via search- or index-time field extractions)?

EDIT 1:

This is en example CSV file (source = X:\LogFiles\MyEnvironment\MyApplication\MyInstance\Values.amf):

metric_name,_value
Process.IO,16620.4
Process.ProcessorTime,4.0666666666666664
Process.ThreadCount,40
Process.WorkingSet,258634547.2

We currently use a search time field extraction to extract the following three fields (~dimensions) from the source field:

Environment=MyEnvironment
Application=MyApplication
Instance=MyInstance

Those fields are extracted via the following line in our props.conf:

EXTRACT-source = (?i)LogFiles\\(?<Environment>[^\\]+)\\(?<Application>[^\\]+)\\(?<Instance>[^\\]+)\\ in source

Using either this or an equivalent transform to extract the fields at index time did not work.

EDIT 2:
I've tried using the following conf file stanzas:

props.conf:

[metrics_csv]
TRANSFORMS-amf2 = amf2

transforms.conf:

[amf2]
SOURCE_KEY = field:source
REGEX = (?i)LogFiles\\(?<Environment>[^\\]+)\\(?<Application>[^\\]+)\\(?<Instance>[^\\]+)\\

xpac · ‎05-07-2018

Hey, try this please for your transforms.conf:

SOURCE_KEY = MetaData:Source
REGEX = yourregex
WRITE_META = true

You can find more information on how to extract index time fields here:
http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Configureindex-timefieldextraction

For metrics data, you can completely ignore anything written that relating to fields.conf.

View solution in original post

xpac · ‎05-07-2018

Hey, try this please for your transforms.conf:

SOURCE_KEY = MetaData:Source
REGEX = yourregex
WRITE_META = true

You can find more information on how to extract index time fields here:
http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Configureindex-timefieldextraction

For metrics data, you can completely ignore anything written that relating to fields.conf.

krdo · ‎05-07-2018

Thanks for your support, you clearly pointed me in the right direction:

SOURCE_KEY = MetaData:Source is required.
WRITE_META = true is required.
yourregex MUST NOT end with a backslash (I've encountered that issue long ago but forgot about it. Splunk thinks I want to escape the newline)
Named capturing groups are not working; FORMAT = Environment::$1 Application::$2 Instance::$3does work.

This transforms.conf stanza works:

[amf2]
SOURCE_KEY = MetaData:Source
REGEX = (?i)LogFiles\\([^\\]+)\\([^\\]+)\\([^\\]+)
FORMAT = Environment::$1 Application::$2 Instance::$3
WRITE_META = true

DATEVeG · ‎08-29-2018

Thanks for pointing this out!
Especially 4. is a no-go for uns.

@Splunk: Any news on this?
Support for named capture groups in transforms should also work for metric dimensions.

xpac · ‎05-07-2018

Can you please post a line of sample data for your currently used CSV format and an explanation how it would have to be split?

krdo · ‎05-07-2018

Thanks for the response - I've edited the question.

xpac · ‎05-07-2018

This should be possible even with CSV using index-time field extractions. Can you please show the props + transforms you tried?

krdo · ‎05-07-2018

Done - see edit 2.

Is it possible to extract dimensions from the source field for metrics imported from CSV files?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application