Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sending events from input based on regex to metrics

imrago
Contributor
‎05-17-2019 05:50 AM

I have created a setup where from an input based on a regex some of the events are sent to a specific index with changed source type. It is working nicely with regular indexes, but I can not get it working with metrics based indexes. What could be wrong?

props.conf
[csv]
TRANSFORMS-indst = change_index,change_sourcetype

inputs.conf
[udp://514]
connection_host = ip
sourcetype = csv

transforms.conf
[change_index]
REGEX = (?i) error
DEST_KEY = _MetaData:Index
WRITE_META = true
FORMAT = metrics_index

[change_sourcetype]
REGEX = (?i) error
DEST_KEY = _MetaData:
WRITE_META = true
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::metrics_sourcetype

0 Karma
Reply

DavidHourani
Super Champion
‎05-17-2019 09:12 AM

Hi @imrago,

the sourcetype csv already has a lot of predefined configurations that are probably overwritting whatever you are trying to do there. Change a your sourcetype's name and you should be okay 😉

Cheers,
David

0 Karma
Reply

somesoni2
Revered Legend
‎05-17-2019 06:57 AM

What are the fields available in your CSV file?? See this Splunk documentation for what format Splunk expects it: https://docs.splunk.com/Documentation/Splunk/7.2.6/Metrics/GetMetricsInOther

0 Karma
Reply

imrago
Contributor
‎05-17-2019 07:03 AM

used csv just an example, when I send directly to a metrics index then everything is working fine

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
Top