Splunk® Enterprise


Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Convert event logs to metric data points

Metrics are often buried in unstructured or semi-structured log data. The Splunk platform can automatically convert log data to metrics data points and then insert that data into a metrics index that you specify. It can perform this conversion when your log data is ingested into your Splunk platform deployment, or when you run a search on the log data with the mcollect or meventcollect commands.

This functionality follows older features for the Splunk platform that enable the extraction of fields from events at ingest time and search time. When you set up a log-to-metrics conversion, you look at the field-value pairs that are pulled out of your unstructured events and identify the fields with numeric values that the search head can transform into measurements.

You can optionally identify extracted fields for the Splunk platform to exclude so they do not appear in the metric data points.

Extracted fields in your events that you have not identified as measurements or excluded fields are added by the search head to metric data points as dimensions.

Certain log-to-metrics feature extensions, such as the ability to create log-to-metric configurations that automatically process numeric fields as measures, can only be managed through manual configuration file edits or REST API operations.

Benefits of converting events to metric data points

If you find that it makes sense for you to convert your events to metric data points from a practical standpoint, you may want to do so. Metrics indexes store metric data points in a format that provides faster search performance and more efficient data storage than you will find with events in event indexes.

Additionally, if you use Splunk Enterprise, there may be some license quota benefits to log-to-metric conversion. For information about how metrics data is metered, see How Splunk Enterprise licensing works in the Admin Manual.

Conversion of events into metric data points with multiple measurements

Here are two log events that contain metrics data. Both of these events have the internaldata source type.

_time Event
08-05-2017 20:26:29.073 -0700 INFO Metrics - group=queue, name=aeq, max_size_kb=500, current_size_kb=300, current_size=53
08-05-2017 20:26:29.075 -0700 INFO Metrics - group=queue, name=indexqueue, max_size_kb=500, current_size_kb=200, current_size=55

After you set up the log-to-metrics configuration, the Splunk platform runs a process that extracts field-value pairs from events with the internaldata source type. It converts the numeric fields into measurement fields that follow this syntax: metric_name:<metric name>=<value>. It treats the remaining fields (group and name) as dimensions.

_time group name metric_name:max_size_kb metric_name:current_size_kb metric_name:current_size
20:26:29.073 -0700
queue aeq 500 300 53
20:26:29.075 -0700
queue indexqueue 500 200 55

Anatomy of a log-to-metrics metric data point

Each metric data point contains a _time field and one or more measurement fields. Metric data points can also have one or more dimension fields. Learn more about metric data points in Overview of metrics.

The following table explains how the log-to-metrics process derives the values of each metric data point field:

Metric field Example Origin of value
_time 08-05-2017 20:26:29.075 -0700 Uses the _time value from the original event. If multiple metric data points are generated from a single event, they all share the same _time value.
measurement field metric_name:current_size=53 Transforms a field with a numeric value into a measurement field with this syntax: metric_name:<metric_name>=<numeric_value>.
metric_name current_size Uses the name of the field that provides the numeric_value for the measurement. In this case, the measurement is based on current_size=53.
numeric_value 53 Uses the value of the numeric field that the measurement is based on. In this case, the measurement is based on current_size=53.
dimension field group=queue, name=indexqueue Any fields in a log event besides _time that are not otherwise identified as measurement fields or excluded fields become dimension fields. All metric data points generated from the same log event share the same timestamps and dimension field-value pairs.

The Splunk platform cannot index metric data points with metric_name values that have the following conditions:

  • Empty values or any white spaces
  • Characters other than a-z, A-Z, 0-9, ., :, and _
  • Leading numbers or underscores
  • The reserved string metric_name

Set up basic ingest-time log-to-metric conversions through Splunk Web

Use Splunk Web to set up ingest-time conversion of logs to metric data points when all of the events in the log being ingested share the same fields.

There are two stages to the Splunk Web process for setting up log-to-metrics conversion:

  1. Create a new source type of the Log to Metrics category on the Source Types listing page in Settings.
  2. Associate that Log to Metrics source type with an appropriate log data input when you create or edit the input.

For more information, see Set up ingest-time log-to-metrics conversion in Splunk Web.

Create sophisticated ingest-time log-to-metric conversions with props.conf and transforms.conf

Manually create configurations in transforms.conf and props.conf for ingest-time conversion of logs to metric data points when the events in the log being ingested have different sets of measurement fields. For example, you can design configurations that sort events by the values of a shared field and then apply specific log-to-metric conversion rules to each of those event groups.

For more information, see Set up ingest-time log-to-metrics conversion with configuration files.

Numeric fields that are never converted to metric measures

Certain numeric field names are reserved. The Splunk software cannot convert indexed fields with these names to metric measures. If you use these names for your indexed measure fields, you should arrange to have them renamed before they undergo log-to-metric processing. Such renaming will require changes to your transforms.conf configurations.

This is the list of reserved field names:

  • _event_status
  • _indextime
  • _subsecond
  • _value
  • date_hour
  • date_mday
  • date_minute
  • date_month
  • date_second
  • date_wday
  • date_year
  • date_zone
  • linecount
  • timeendpos
  • timestartpos
  • metric_timestamp
  • punct
  • time
  • timestamp
Last modified on 12 October, 2021
Get metrics in from other sources   Set up ingest-time log-to-metrics conversion in Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters