Hi,

I'd like to store the data collected by the "Splunk Add-on for Microsoft SQL Server" in a metrics index. Initially I installed the TA as as described and it collected data to a normal index with no problems. So I updated it's inputs.conf file to point to the metrics index which failed because the data wasn't structured correctly. So after a little bit of Googling I crafted a props and transforms files to change the counter field to metric_name (mainly based on this answer: Sending-Perfmon-data-to-metrics-index ) but it's still not working.

In inputs.conf file looks like so (I'm just showing one measure as an example):

[perfmon://sqlserverhost:processor]
object = Processor
counters = % Processor Time
instances = _Total
interval = 60
showZeroValue = 1
mode = single
disabled = 0
index = em_metrics
sourcetype = PerfmonMetrics:sqlserverhost:processor

Props.conf

[PerfmonMetrics:sqlserverhost:processor]
TRANSFORMS-metric = sqlserverhost_metric
TRANSFORMS-value = sqlserverhost_value

Transforms.conf

[sqlserverhost_metric]
REGEX = collection=(.+)[\s\S]*counter=(.+)[\s\S]*instance=(.+)
FORMAT = metric_name::$1.$3.$2
WRITE_META = true

[sqlserverhost_value]
REGEX = Value=(.+)
FORMAT = metric_value::$1
WRITE_META = true

All three of these files are on the Universal Forwarder on the MSSQL host I'd like to monitor.

The architecture of the Splunk instance is Univeral Forwarder on the host, to Heavy Forwarder, then via Cribl (which allows me to see the transforms are not working) to the Indexer/Search Head.

What am I doing wrong here?
Thanks
Eddie