Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

sending events from input based on regex to metrics

imrago
Contributor
โ€Ž05-17-2019 05:50 AM

I have created a setup where from an input based on a regex some of the events are sent to a specific index with changed source type. It is working nicely with regular indexes, but I can not get it working with metrics based indexes. What could be wrong?

props.conf
[csv]
TRANSFORMS-indst = changeindex,changesourcetype

inputs.conf
[udp://514]
connection_host = ip
sourcetype = csv

transforms.conf
[changeindex]
REGEX = (?i) error
DESTKEY = MetaData:Index
WRITEMETA = true
FORMAT = metrics_index

[changesourcetype]
REGEX = (?i) error
DESTKEY = MetaData:
WRITEMETA = true
DESTKEY = MetaData:Sourcetype
FORMAT = sourcetype::metricssourcetype

0 Karma
Reply

DavidHourani
SplunkTrust
SplunkTrust
โ€Ž05-17-2019 09:12 AM

Hi @imrago,

the sourcetype csv already has a lot of predefined configurations that are probably overwritting whatever you are trying to do there. Change a your sourcetype's name and you should be okay ๐Ÿ˜‰

Cheers,
David

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
โ€Ž05-17-2019 06:57 AM

What are the fields available in your CSV file?? See this Splunk documentation for what format Splunk expects it: https://docs.splunk.com/Documentation/Splunk/7.2.6/Metrics/GetMetricsInOther

0 Karma
Reply

imrago
Contributor
โ€Ž05-17-2019 07:03 AM

used csv just an example, when I send directly to a metrics index then everything is working fine

0 Karma
Reply