### # redirects data into into the _metrics index ### [metrics_index_redirect] REGEX = . DEST_KEY = _MetaData:Index FORMAT = _metrics ### # sets the metric_name 'prefix' for this event. The # metric schema processor will append the actual measure names to # this prefix for the final metric_name for the event ### [metrics_log_metric_name] INGEST_EVAL = metric_name="spl.mlog.".case(\ group IN ( "subtask_seconds",\ "subtask_counts",\ "search_concurrency",\ "deploy-server",\ "thruput",\ "jobs",\ "search_health_metrics",\ "tailingprocessor" ) AND isnotnull(name),\ group.".".name,\ group == "pipeline" AND name == "indexerpipe" AND processor == "indexer",\ group.".".processor,\ group == "dutycycle" AND name == "misc",\ group.".".name,\ group == "search_concurrency" AND isnotnull(user),\ group.".per_user",\ group == "bundles_downloads" AND isnotnull(baseline_count),\ group.".baseline",\ group == "bundles_downloads" AND isnotnull(delta_count),\ group.".delta",\ isnotnull(group), group,\ 1 == 1, "nullgroup"\ ) ### # This transforms simply clones the event as is, updates it's sourcetype # to metrics_log. This event will then undergo the transforms associated # with the metrics_log sourcetype ### [metrics_log_clone] SOURCE_KEY = MetaData:Source REGEX = (.) CLONE_SOURCETYPE = splunk_metrics_log ### # This metric schema stanza will define a schema to convert the metrics.log # event into a metric data point. ### [metric-schema:metrics_dot_log] METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ destPort,sourcePort ### # start transforms for introspection logs # # Follows similar pattern to metric.log case above. We clone # the events, create a metric_name prefix and send them through # our metric schema processor to form them into valid # metric store event. ### [introspection_disk_objects_log_clone] SOURCE_KEY = MetaData:Source REGEX = (.) CLONE_SOURCETYPE = splunk_intro_disk_objects [introspection_resource_usage_log_clone] SOURCE_KEY = MetaData:Source REGEX = (.) CLONE_SOURCETYPE = splunk_intro_resource_usage ### # sets the metric_name prefix for this introspection # events ### [introspection_disk_objects_metric_name] INGEST_EVAL = metric_name = "spl.intr.disk_objects"\ .case(\ isnotnull( component ), ".".component\ , 1==1, ""\ ) [introspection_resource_usage_metric_name] INGEST_EVAL = metric_name = "spl.intr.resource_usage"\ .case(\ isnotnull( component ), ".".component,\ 1==1, ""\ ) # # NOTE: we choose to blacklist max_size, which is reported as # part of the Volumes component, to be a dimension since it # can take on the value: "Infinite" AND it is wasteful to # store it as a measure as it won't change a lot anyways ### [metric-schema:introspection_disk_objects] METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ *data.top_* METRIC-SCHEMA-BLACKLIST-DIMS = datetime, *data.top_*, *data.args # # NOTE: we choose to blacklist 'interval' since this will # mostly be a fixed value, no need to take up space for it # as a measure # # 'datetime' is blacklisted as a dimension since it is # high cardinality and redundant w/ _time field ### [metric-schema:introspection_resource_usage] METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ *data.splunk_version, *data.pid, *data.ppid, *data.interval METRIC-SCHEMA-BLACKLIST-DIMS = datetime [metric-schema:log2metrics_default_csv] METRIC-SCHEMA-MEASURES = _ALLNUMS_ [metric-schema:log2metrics_default_keyvalue] METRIC-SCHEMA-MEASURES = _ALLNUMS_ [metric-schema:log2metrics_default_json] METRIC-SCHEMA-MEASURES = _ALLNUMS_ [metrics_field_extraction] # Ensure that "-" character is last in the value character class # so it is not incorrectly interpreted as a range. REGEX = ([a-zA-Z0-9_\.]+)=\"?([a-zA-Z0-9_\.:-]+) FORMAT = $1::$2 REPEAT_MATCH = true WRITE_META = true