# props.conf ############################### # nmon metrics for metric store ############################### # Introduced with Splunk 7, metrics are now natively supported # Nmon uses its own copy of the default metrics_csv sourcetype [nmon_metrics_csv] SHOULD_LINEMERGE = False pulldown_type = true INDEXED_EXTRACTIONS = csv ADD_EXTRA_TIME_FIELDS = False KV_MODE = none TIMESTAMP_FIELDS = metric_timestamp TIME_FORMAT = %s.%Q category = Metrics description = Comma-separated value format for metrics. Nmon implementation. # Overwritting default host field based on event data for nmon_data sourcetype (useful when managing Nmon central shares) TRANSFORMS-hostfield=nmon_metrics_csv_hostoverride # Metrics can be sent by http using the Splunk Http Event Collector (HEC) [nmon_metrics_http] TIME_PREFIX = metric_timestamp=\"(\d+)\" TIME_FORMAT = %s TRANSFORMS-nmon_metrics_http = nmon_metrics_http_host, nmon_metrics_http_metric_name, nmon_metrics_http_metric_value, nmon_metrics_http_dims, nmon_metrics_http_OStype, nmon_metrics_http_serialnum NO_BINARY_CHECK = true SHOULD_LINEMERGE = false pulldown_type = 1 category = Metrics ######################## # nmon metrics as events ######################## # This sourcetype stanza will be used to index nmon csv converted data # Every generated csv file will contain a CSV header used by Splunk to identify fields [nmon_data] FIELD_DELIMITER=, FIELD_QUOTE=" HEADER_FIELD_LINE_NUMBER=1 # your settings INDEXED_EXTRACTIONS=csv NO_BINARY_CHECK=1 SHOULD_LINEMERGE=false TIMESTAMP_FIELDS=ZZZZ TIME_FORMAT=%d-%m-%Y %H:%M:%S # set by detected source type KV_MODE=none pulldown_type=true # Leaving PUNCT enabled can impact indexing performance, and uses space # For structured data, it has poor interest and shall be deactivated ANNOTATE_PUNCT=false # Overwritting default host field based on event data for nmon_data sourcetype (useful when managing Nmon central shares) TRANSFORMS-hostfield=nmon_data_hostoverride # nmon_data sent over http using the Splunk Http Event Collector (HEC) # This sourcetype will be automatically renamed to nmon_data [nmon_data_http] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true CHARSET=UTF-8 TIME_FORMAT=%s TIME_PREFIX=timestamp=" MAX_TIMESTAMP_LOOKAHEAD=26 KV_MODE=auto # Apply indexing time parsing configuration TRANSFORMS-nmon_data_http = nmon_data_http_host, nmon_data_http_OStype, nmon_data_http_type, nmon_data_http_sourcetype # For search time extractions, activate kvmode to auto for that source [source::nmon_data:http] KV_MODE=auto ######################## # nmon processing events ######################## [nmon_processing] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true CHARSET=UTF-8 TIME_PREFIX=^ TIME_FORMAT=%d-%m-%Y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=19 LINE_BREAKER=([\n\r]+)\d{2}-\d{2}-\d{4}\s\d{2}:\d{2}:\d{2} TRUNCATE=999999 # Deactivate KV KV_MODE=none #################### # nmon config events #################### [nmon_config] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true CHARSET=UTF-8 TIME_PREFIX=^CONFIG, TIME_FORMAT=%d-%b-%Y:%H:%M.%S LINE_BREAKER=([\r\n]+)CONFIG,\d{2}-\w{3}-\d{4}:\d{2}:\d{2}\.\d{2}, TRUNCATE=0 MAX_EVENTS=100000 MAX_TIMESTAMP_LOOKAHEAD=30 # Deactivate KV KV_MODE = none # Overwritting default host field based on event data for nmon_data sourcetype (useful when managing Nmon central shares) TRANSFORMS-hostfield=nmon_config_hostoverride # nmon_config sent over http [nmon_config:http] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true CHARSET=UTF-8 LINE_BREAKER=([\r\n]+)timestamp=\" MAX_EVENTS=100000 TIME_FORMAT=%s TIME_PREFIX=timestamp=" TRUNCATE=0 # Rewrite the source Metadata to manage search time extraction TRANSFORMS-nmon_config_http = nmon_config_http_rewrite_host, nmon_config_http_rewrite_sourcetype # For search heads [source::nmon_config:http] KV_MODE=none ##################### # nmon collect events ##################### [nmon_collect] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true CHARSET=UTF-8 TIME_PREFIX=^ TIME_FORMAT=%d-%m-%Y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=19 LINE_BREAKER=([\n\r]+)\d{2}-\d{2}-\d{4}\s\d{2}:\d{2}:\d{2} TRUNCATE=999999 # Deactivate KV KV_MODE = none ################### # nmon clean events ################### [nmon_clean] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true CHARSET=UTF-8 TIME_PREFIX=^ TIME_FORMAT=%d-%m-%Y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=19 LINE_BREAKER=([\n\r]+)\d{2}-\d{2}-\d{4}\s\d{2}:\d{2}:\d{2} TRUNCATE=999999 # Deactivate KV KV_MODE = none