On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
Format metrics data in DSP for Splunk indexes
For the Send to a Splunk Index with Batching, Send to a Splunk Index, and the Send to a Splunk Index (Default for Environment) sink functions to properly transform your event into metrics format, your event must follow the metrics schema shown in the examples below.
Use the following table and examples as a guide for how to format your data so that it is indexed appropriately into Splunk Enterprise.
DSP field | HEC metrics JSON | Data Type | Notes |
---|---|---|---|
body | fields | list of maps | An array of one or more JSON objects following the schema defined here. There must be at least one metric in the |
sourcetype or source_type | sourcetype | string | If not present, no sourcetype is included in the HEC metrics JSON. |
timestamp | time | long integer | The Splunk Data Stream Processor uses Unix epoch time in milliseconds. Your timestamp is automatically converted to Splunk epoch time format <sec>.<ms> . If blank or negative, time is set to now.
|
source | source | string | If not present, no source is included in the HEC metrics JSON. |
host | host | string | If not present, no host is included in the HEC metrics JSON. |
attributes | fields | map<string, any> | Defines default dimensions used in the HEC metrics JSON. For information on the attributes schema, see the attributes row in the metrics schema. For examples on how these default dimensions are used, see example 4 and example 5. |
id | N/A | string | A DSP metrics field ignored by HEC. |
kind | N/A | string | A DSP metrics field ignored by HEC. |
nanos | N/A | integer | A DSP metrics field ignored by HEC. |
any custom fields | N/A | any | All custom fields are ignored when creating the HEC metrics JSON. |
N/A | index | string | To set the index in HEC metrics JSON, you must pass the index name as an argument in the Send to a Splunk Index or Send to a Splunk Index with Batching functions. If no index is selected, your data is sent to the default index associated with your HEC token. |
Example 1: The body field in the event is null
DSP metric event:
Event{nanos=null, kind="metric", host=null, attributes=null, source_type="test-sourcetype", id=null, source="test-source", body=null, timestamp=1000000000000}
HEC metric JSON:
null (event is dropped)
Explanation: Your event body
must have at least one metric or else your event is dropped.
Example 2: The event has a body field present
DSP metric event:
Event{nanos=null,kind="metric",host=null, attributes=null, source_type="test-sourcetype", id=null, source="test-source", body=[{name:"test-metric_name", "value":2.2}],timestamp=1000000000001}
HEC metric JSON:
{"event":"metric","time":"1000000000.001","source":"test-source", "sourcetype":"test-sourcetype","index":"myindex123", "fields":{"_value":2.2,"metric_name":"test-metric_name"}}
Explanation: The body
field has the correct DSP metrics schema. DSP name
and value
maps to HEC metrics JSON metric_name
and _value
respectively.
Example 3: The body field in the event contains two maps
DSP metric event:
Event{nanos=null, kind="metric", host=null, attributes=null, source_type="test-sourcetype", id=null, source="test-source", body=[{name:"test-metric_name", "value":2.2}, {name:"test-metric_name-2", "value":4.4}], timestamp=1000000000001}
HEC metric JSON:
{"event":"metric","time":"1000000000.001","source":"test-source","sourcetype":"test-sourcetype","index":"myindex123","fields":{"_value":2.2,"metric_name":"test-metric_name"}} {"event":"metric","time":"1000000000.001","source":"test-source","sourcetype":"test-sourcetype","index":"myindex123","fields":{"_value":4.4,"metric_name":"test-metric_name-2"}}
Explanation: Because the body
field has two maps in the array, two separate HEC metric JSON objects are created.
Example 4: The event has additional attributes
DSP metric event:
Event{nanos=null, kind="metric", host=null, attributes={default_unit:"1", default_type:"g", default_dimensions={hostname:"test-hostname", service:"test-service"}}, source_type="test-sourcetype", id=null, source="test-source", body=[{name:"test-metric_name", "value":2.2}], timestamp=1000000000001}
HEC metric JSON
{"event":"metric","time":"1000000000.001","source":"test-source","sourcetype":"test-sourcetype","index":"myindex123","fields":{"_value":2.2,"metric_name":"test-metric_name","service":"test-service","hostname":"test-hostname","unit":"1","type":"g"}}
Explanation: In this example, the DSP metrics event contains a valid attributes map. However, because unit
, type
, or default dimensions
do not exist in body
, the values from attributes
are used in HEC metric JSON fields
.
Example 5: The event has the same hostname field in both attributes and body
DSP metric event:
Event{nanos=null, kind="metric", host=null, attributes={"default_unit":"1", "default_type":"g", "default_dimensions": {hostname:"test-hostname", service:"test-service"}}, source_type="test-sourcetype", id=null, source="test-source", body=[{name:"test-metric_name", unit:"2", hostname:"overwrite-hostname", "value":2.2}], timestamp=1000000000001}
HEC metric JSON
{"event":"metric","time":"1000000000.001","source":"test-source","sourcetype":"test-sourcetype","index":"myindex123","fields":{"_value":2.2,"metric_name":"test-metric_name","service":"test-service","hostname":"overwrite-hostname","unit":"2","type":"g"}}
Explanation: In this example, hostname
exists as a field in attributes
and body
and contains two different values. The value in body
takes priority and is the value indexed in hostname
.
Format event data in DSP for Splunk indexes | Performance expectations for sending data from DSP pipelines to Splunk Enterprise |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5
Feedback submitted, thanks!