Getting Data In

MSSQL TA and putting it's data into a metrics index

Path Finder


I'd like to store the data collected by the "Splunk Add-on for Microsoft SQL Server" in a metrics index. Initially I installed the TA as as described and it collected data to a normal index with no problems. So I updated it's inputs.conf file to point to the metrics index which failed because the data wasn't structured correctly. So after a little bit of Googling I crafted a props and transforms files to change the counter field to metric_name (mainly based on this answer: Sending-Perfmon-data-to-metrics-index ) but it's still not working.

In inputs.conf file looks like so (I'm just showing one measure as an example):

object = Processor
counters = % Processor Time
instances = _Total
interval = 60
showZeroValue = 1
mode = single
disabled = 0
index = em_metrics
sourcetype = PerfmonMetrics:sqlserverhost:processor


TRANSFORMS-metric = sqlserverhost_metric
TRANSFORMS-value = sqlserverhost_value


REGEX = collection=(.+)[\s\S]*counter=(.+)[\s\S]*instance=(.+)
FORMAT = metric_name::$1.$3.$2

REGEX = Value=(.+)
FORMAT = metric_value::$1

All three of these files are on the Universal Forwarder on the MSSQL host I'd like to monitor.

The architecture of the Splunk instance is Univeral Forwarder on the host, to Heavy Forwarder, then via Cribl (which allows me to see the transforms are not working) to the Indexer/Search Head.

What am I doing wrong here?

0 Karma

Path Finder

Hi Greg,

Thanks for your response. I haven't really got this working still (I have a solution using Cribl to change the data later on) - I'm still struggling to get access to the heavy forwarder.  However I agreed with your advice  that the the props and transforms files need to go on the Heavy Forwarder.

When I finally get access I'll give it a try.



Hey eddieddieddie,

Not sure if you've resolved this already but your props.conf and transforms.conf need to be on your HF as well for the transforms you're expecting to work.

Hope this helps (or that you had already resolve this).


Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...