Splunk Search

sending events from input based on regex to metrics

imrago
Contributor

I have created a setup where from an input based on a regex some of the events are sent to a specific index with changed source type. It is working nicely with regular indexes, but I can not get it working with metrics based indexes. What could be wrong?

props.conf
[csv]
TRANSFORMS-indst = change_index,change_sourcetype

inputs.conf
[udp://514]
connection_host = ip
sourcetype = csv

transforms.conf
[change_index]
REGEX = (?i) error
DEST_KEY = _MetaData:Index
WRITE_META = true
FORMAT = metrics_index

[change_sourcetype]
REGEX = (?i) error
DEST_KEY = _MetaData:
WRITE_META = true
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::metrics_sourcetype

0 Karma

DavidHourani
Super Champion

Hi @imrago,

the sourcetype csv already has a lot of predefined configurations that are probably overwritting whatever you are trying to do there. Change a your sourcetype's name and you should be okay 😉

Cheers,
David

0 Karma

somesoni2
Revered Legend

What are the fields available in your CSV file?? See this Splunk documentation for what format Splunk expects it: https://docs.splunk.com/Documentation/Splunk/7.2.6/Metrics/GetMetricsInOther

0 Karma

imrago
Contributor

used csv just an example, when I send directly to a metrics index then everything is working fine

0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...