sending events from input based on regex to metric...

imrago · ‎05-17-2019

I have created a setup where from an input based on a regex some of the events are sent to a specific index with changed source type. It is working nicely with regular indexes, but I can not get it working with metrics based indexes. What could be wrong?

props.conf
[csv]
TRANSFORMS-indst = change_index,change_sourcetype

inputs.conf
[udp://514]
connection_host = ip
sourcetype = csv

transforms.conf
[change_index]
REGEX = (?i) error
DEST_KEY = _MetaData:Index
WRITE_META = true
FORMAT = metrics_index

[change_sourcetype]
REGEX = (?i) error
DEST_KEY = _MetaData:
WRITE_META = true
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::metrics_sourcetype

DavidHourani · ‎05-17-2019

Hi @imrago,

the sourcetype csv already has a lot of predefined configurations that are probably overwritting whatever you are trying to do there. Change a your sourcetype's name and you should be okay 😉

Cheers,
David

somesoni2 · ‎05-17-2019

What are the fields available in your CSV file?? See this Splunk documentation for what format Splunk expects it: https://docs.splunk.com/Documentation/Splunk/7.2.6/Metrics/GetMetricsInOther

imrago · ‎05-17-2019

used csv just an example, when I send directly to a metrics index then everything is working fine

sending events from input based on regex to metrics

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Full Details! >

sending events from input based on regex to metrics

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey.Earn $50 in Amazon cash! Full Details! >

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Full Details! >