You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
172 lines
4.3 KiB
172 lines
4.3 KiB
# props.conf
|
|
|
|
###############################
|
|
# nmon metrics for metric store
|
|
###############################
|
|
|
|
# Introduced with Splunk 7, metrics are now natively supported
|
|
# Nmon uses its own copy of the default metrics_csv sourcetype
|
|
|
|
[nmon_metrics_csv]
|
|
SHOULD_LINEMERGE = False
|
|
pulldown_type = true
|
|
INDEXED_EXTRACTIONS = csv
|
|
ADD_EXTRA_TIME_FIELDS = False
|
|
KV_MODE = none
|
|
TIMESTAMP_FIELDS = metric_timestamp
|
|
TIME_FORMAT = %s.%Q
|
|
category = Metrics
|
|
description = Comma-separated value format for metrics. Nmon implementation.
|
|
|
|
# Overwritting default host field based on event data for nmon_data sourcetype (useful when managing Nmon central shares)
|
|
TRANSFORMS-hostfield=nmon_metrics_csv_hostoverride
|
|
|
|
# Metrics can be sent by http using the Splunk Http Event Collector (HEC)
|
|
[nmon_metrics_http]
|
|
TIME_PREFIX = metric_timestamp=\"(\d+)\"
|
|
TIME_FORMAT = %s
|
|
TRANSFORMS-nmon_metrics_http = nmon_metrics_http_host, nmon_metrics_http_metric_name, nmon_metrics_http_metric_value, nmon_metrics_http_dims, nmon_metrics_http_OStype, nmon_metrics_http_serialnum
|
|
NO_BINARY_CHECK = true
|
|
SHOULD_LINEMERGE = false
|
|
pulldown_type = 1
|
|
category = Metrics
|
|
|
|
########################
|
|
# nmon metrics as events
|
|
########################
|
|
|
|
# This sourcetype stanza will be used to index nmon csv converted data
|
|
# Every generated csv file will contain a CSV header used by Splunk to identify fields
|
|
|
|
[nmon_data]
|
|
FIELD_DELIMITER=,
|
|
FIELD_QUOTE="
|
|
HEADER_FIELD_LINE_NUMBER=1
|
|
|
|
# your settings
|
|
INDEXED_EXTRACTIONS=csv
|
|
NO_BINARY_CHECK=1
|
|
SHOULD_LINEMERGE=false
|
|
TIMESTAMP_FIELDS=ZZZZ
|
|
TIME_FORMAT=%d-%m-%Y %H:%M:%S
|
|
|
|
# set by detected source type
|
|
KV_MODE=none
|
|
pulldown_type=true
|
|
|
|
# Leaving PUNCT enabled can impact indexing performance, and uses space
|
|
# For structured data, it has poor interest and shall be deactivated
|
|
ANNOTATE_PUNCT=false
|
|
|
|
# Overwritting default host field based on event data for nmon_data sourcetype (useful when managing Nmon central shares)
|
|
TRANSFORMS-hostfield=nmon_data_hostoverride
|
|
|
|
# nmon_data sent over http using the Splunk Http Event Collector (HEC)
|
|
# This sourcetype will be automatically renamed to nmon_data
|
|
|
|
[nmon_data_http]
|
|
SHOULD_LINEMERGE=false
|
|
NO_BINARY_CHECK=true
|
|
CHARSET=UTF-8
|
|
TIME_FORMAT=%s
|
|
TIME_PREFIX=timestamp="
|
|
MAX_TIMESTAMP_LOOKAHEAD=26
|
|
KV_MODE=auto
|
|
|
|
# Apply indexing time parsing configuration
|
|
TRANSFORMS-nmon_data_http = nmon_data_http_host, nmon_data_http_OStype, nmon_data_http_type, nmon_data_http_sourcetype
|
|
|
|
# For search time extractions, activate kvmode to auto for that source
|
|
[source::nmon_data:http]
|
|
KV_MODE=auto
|
|
|
|
########################
|
|
# nmon processing events
|
|
########################
|
|
|
|
[nmon_processing]
|
|
SHOULD_LINEMERGE=false
|
|
NO_BINARY_CHECK=true
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%d-%m-%Y %H:%M:%S
|
|
MAX_TIMESTAMP_LOOKAHEAD=19
|
|
LINE_BREAKER=([\n\r]+)\d{2}-\d{2}-\d{4}\s\d{2}:\d{2}:\d{2}
|
|
TRUNCATE=999999
|
|
|
|
# Deactivate KV
|
|
KV_MODE=none
|
|
|
|
####################
|
|
# nmon config events
|
|
####################
|
|
|
|
[nmon_config]
|
|
SHOULD_LINEMERGE=false
|
|
NO_BINARY_CHECK=true
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^CONFIG,
|
|
TIME_FORMAT=%d-%b-%Y:%H:%M.%S
|
|
LINE_BREAKER=([\r\n]+)CONFIG,\d{2}-\w{3}-\d{4}:\d{2}:\d{2}\.\d{2},
|
|
TRUNCATE=0
|
|
MAX_EVENTS=100000
|
|
MAX_TIMESTAMP_LOOKAHEAD=30
|
|
|
|
# Deactivate KV
|
|
KV_MODE = none
|
|
|
|
# Overwritting default host field based on event data for nmon_data sourcetype (useful when managing Nmon central shares)
|
|
TRANSFORMS-hostfield=nmon_config_hostoverride
|
|
|
|
# nmon_config sent over http
|
|
[nmon_config:http]
|
|
SHOULD_LINEMERGE=false
|
|
NO_BINARY_CHECK=true
|
|
CHARSET=UTF-8
|
|
LINE_BREAKER=([\r\n]+)timestamp=\"
|
|
MAX_EVENTS=100000
|
|
TIME_FORMAT=%s
|
|
TIME_PREFIX=timestamp="
|
|
TRUNCATE=0
|
|
|
|
# Rewrite the source Metadata to manage search time extraction
|
|
TRANSFORMS-nmon_config_http = nmon_config_http_rewrite_host, nmon_config_http_rewrite_sourcetype
|
|
|
|
# For search heads
|
|
[source::nmon_config:http]
|
|
KV_MODE=none
|
|
|
|
#####################
|
|
# nmon collect events
|
|
#####################
|
|
|
|
[nmon_collect]
|
|
SHOULD_LINEMERGE=false
|
|
NO_BINARY_CHECK=true
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%d-%m-%Y %H:%M:%S
|
|
MAX_TIMESTAMP_LOOKAHEAD=19
|
|
LINE_BREAKER=([\n\r]+)\d{2}-\d{2}-\d{4}\s\d{2}:\d{2}:\d{2}
|
|
TRUNCATE=999999
|
|
|
|
# Deactivate KV
|
|
KV_MODE = none
|
|
|
|
###################
|
|
# nmon clean events
|
|
###################
|
|
|
|
[nmon_clean]
|
|
SHOULD_LINEMERGE=false
|
|
NO_BINARY_CHECK=true
|
|
CHARSET=UTF-8
|
|
TIME_PREFIX=^
|
|
TIME_FORMAT=%d-%m-%Y %H:%M:%S
|
|
MAX_TIMESTAMP_LOOKAHEAD=19
|
|
LINE_BREAKER=([\n\r]+)\d{2}-\d{2}-\d{4}\s\d{2}:\d{2}:\d{2}
|
|
TRUNCATE=999999
|
|
|
|
# Deactivate KV
|
|
KV_MODE = none
|