Deployement_Server_old/apps/splunk_internal_metrics/default/transforms.conf

###
# redirects data into into the _metrics index 
###
[metrics_index_redirect]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = _metrics


###
# sets the metric_name 'prefix' for this event.  The 
# metric schema processor will append the actual measure names to
# this prefix for the final metric_name for the event
###
[metrics_log_metric_name]
INGEST_EVAL = metric_name="spl.mlog.".case(\
    group IN ( "subtask_seconds",\
               "subtask_counts",\
               "search_concurrency",\
               "deploy-server",\
               "thruput",\
               "jobs",\
               "search_health_metrics",\
               "tailingprocessor" ) AND isnotnull(name),\
            group.".".name,\
    group == "pipeline" AND name == "indexerpipe" AND processor == "indexer",\
            group.".".processor,\
    group == "dutycycle" AND name == "misc",\
            group.".".name,\
    group == "search_concurrency" AND isnotnull(user),\
            group.".per_user",\
    group == "bundles_downloads" AND isnotnull(baseline_count),\
            group.".baseline",\
    group == "bundles_downloads" AND isnotnull(delta_count),\
            group.".delta",\
    isnotnull(group), group,\
    1 == 1, "nullgroup"\
)

###
# This transforms simply clones the event as is, updates it's sourcetype
# to metrics_log.  This event will then undergo the transforms associated
# with the metrics_log sourcetype
###
[metrics_log_clone]
SOURCE_KEY = MetaData:Source
REGEX = (.)
CLONE_SOURCETYPE = splunk_metrics_log

###
# This metric schema stanza will define a schema to convert the metrics.log
# event into a metric data point.
###
[metric-schema:metrics_dot_log]
METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ destPort,sourcePort


###
# start transforms for introspection logs
#
# Follows similar pattern to metric.log case above.  We clone
# the events, create a metric_name prefix and send them through
# our metric schema processor to form them into valid
# metric store event.
###
[introspection_disk_objects_log_clone]
SOURCE_KEY = MetaData:Source
REGEX = (.)
CLONE_SOURCETYPE = splunk_intro_disk_objects

[introspection_resource_usage_log_clone]
SOURCE_KEY = MetaData:Source
REGEX = (.)
CLONE_SOURCETYPE = splunk_intro_resource_usage


###
# sets the metric_name prefix for this introspection
# events
###
[introspection_disk_objects_metric_name]
INGEST_EVAL = metric_name = "spl.intr.disk_objects"\
.case(\
        isnotnull( component ), ".".component\
        , 1==1, ""\
)

[introspection_resource_usage_metric_name]
INGEST_EVAL = metric_name = "spl.intr.resource_usage"\
.case(\
        isnotnull( component ), ".".component,\
        1==1, ""\
)

#
# NOTE: we choose to blacklist max_size, which is reported as
# part of the Volumes component, to be a dimension since it
# can take on the value: "Infinite" AND it is wasteful to
# store it as a measure as it won't change a lot anyways
###
[metric-schema:introspection_disk_objects]
METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ *data.top_*
METRIC-SCHEMA-BLACKLIST-DIMS = datetime, *data.top_*, *data.args
 


#
# NOTE: we choose to blacklist 'interval' since this will
# mostly be a fixed value, no need to take up space for it
# as a measure
#
# 'datetime' is blacklisted as a dimension since it is 
# high cardinality and redundant w/ _time field
###
[metric-schema:introspection_resource_usage]
METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ *data.splunk_version, *data.pid, *data.ppid, *data.interval
METRIC-SCHEMA-BLACKLIST-DIMS = datetime

[metric-schema:log2metrics_default_csv]
METRIC-SCHEMA-MEASURES = _ALLNUMS_
[metric-schema:log2metrics_default_keyvalue]
METRIC-SCHEMA-MEASURES = _ALLNUMS_
[metric-schema:log2metrics_default_json]
METRIC-SCHEMA-MEASURES = _ALLNUMS_

[metrics_field_extraction]
# Ensure that "-" character is last in the value character class
# so it is not incorrectly interpreted as a range.
REGEX = ([a-zA-Z0-9_\.]+)=\"?([a-zA-Z0-9_\.:-]+)
FORMAT = $1::$2
REPEAT_MATCH = true
WRITE_META = true