×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Jim_Mulder
New Member
Member since: ‎06-12-2020
‎02-15-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-12-2020
View All

Re: How do I forward HEC events with fields starin...

by in All Apps and Add-ons
‎02-15-2023 09:29 AM
‎02-15-2023 09:29 AM
OK, I feel like an idiot. When collecting metrics, be sure to use a index of datatype 'metrics' ... View more

How do I forward HEC events with fields staring wi...

by in All Apps and Add-ons
‎02-15-2023 08:13 AM
‎02-15-2023 08:13 AM
I've configured a HEC to receive events from a Telegraf emitter, which provides metrics in the form: {"time":1676415410,"event":"metric","host":"VaultNonProd-us-east-2a","index":"vault-metrics","fields":{"_value":0.022299762544379577,"cluster":"vault_nonprod","datacenter":"us-east-2","metric_name":"vault.raft.replication.heartbeat.NonProd-us-east-2b-d992bf60.stddev","metric_type":"timing","role":"vault-server"}} All of the fields come across from the HF to our indexers except the one we're most interested, the _value field.  Searching around, I found https://docs.splunk.com/Documentation/DSP/1.3.1/Connection/IndexEvent which, in part, states that "Entries that are not included in fields include: any key that starts with underscore (such as _time)" Is it possible to include an underscore-starting field in the forwarded event? Thanks ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-15-2023 01:55 PM