Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

sending events from input based on regex to metrics

imrago
Contributor
‎05-17-2019 05:50 AM

I have created a setup where from an input based on a regex some of the events are sent to a specific index with changed source type. It is working nicely with regular indexes, but I can not get it working with metrics based indexes. What could be wrong?

props.conf
[csv]
TRANSFORMS-indst = change_index,change_sourcetype

inputs.conf
[udp://514]
connection_host = ip
sourcetype = csv

transforms.conf
[change_index]
REGEX = (?i) error
DEST_KEY = _MetaData:Index
WRITE_META = true
FORMAT = metrics_index

[change_sourcetype]
REGEX = (?i) error
DEST_KEY = _MetaData:
WRITE_META = true
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::metrics_sourcetype

0 Karma
Reply

DavidHourani
Super Champion
‎05-17-2019 09:12 AM

Hi @imrago,

the sourcetype csv already has a lot of predefined configurations that are probably overwritting whatever you are trying to do there. Change a your sourcetype's name and you should be okay 😉

Cheers,
David

0 Karma
Reply

somesoni2
Revered Legend
‎05-17-2019 06:57 AM

What are the fields available in your CSV file?? See this Splunk documentation for what format Splunk expects it: https://docs.splunk.com/Documentation/Splunk/7.2.6/Metrics/GetMetricsInOther

0 Karma
Reply

imrago
Contributor
‎05-17-2019 07:03 AM

used csv just an example, when I send directly to a metrics index then everything is working fine

0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!