Splunk® Enterprise

Metrics

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Configure StatsD dimension extraction through REST API endpoints

If you use Splunk Cloud Platform or simply do not have Splunk filesystem access, you can configure dimension extraction for unsupported StatsD formats by making manual calls to REST API endpoints. You may need to configure dimension extraction if your StatsD client embeds dimensions in the metric name.

Prerequisites

Steps

  1. Define a custom source type for your StatsD metrics data by using the /services/saved/sourcetypes REST endpoint:
    https://<host>:<mPort>/services/saved/sourcetypes   \
    -d "name=<metrics_sourcetype_name>&METRICS_PROTOCOL=statsd&STATSD-DIM-TRANSFORMS=<statsd_dim_stanza_name>&SHOULD_LINEMERGE=false&ANNOTATE_PUNCT=false&ADD_EXTRA_TIME_FIELDS=false&DATETIME_CONFIG=CURRENT&pulldown_type=true&category=Metrics"
    
    • metrics_sourcetype_name: The name of your custom metrics source type.
    • statsd_dim_stanza_name: A list of transforms stanza names that specify how to extract dimensions. If only one stanza is used for the source type, and if the transforms stanza name is same as the metrics_sourcetype_name, this STATSD-DIM-TRANSFORMS setting can be omitted.

    For example, enter the following command:

    curl -k -u admin:changeme https://localhost:8089/services/saved/sourcetypes   \
    -d "name=statsd_custom&METRICS_PROTOCOL=statsd&STATSD-DIM-TRANSFORMS=statsd-ex&SHOULD_LINEMERGE=false&ANNOTATE_PUNCT=false&ADD_EXTRA_TIME_FIELDS=false&DATETIME_CONFIG=CURRENT&pulldown_type=true&category=Metrics"
    
  2. Create one or more regular expressions to extract the dimensions from metric_name by using the /data/transforms/statsdextractions REST endpoint:
    https://<host>:<mPort>/services/data/transforms/statsdextractions \
    -d "name=<unique_transforms_stanza_name>&REGEX=<regular expression>&REMOVE_DIMS_FROM_METRIC_NAME=<Boolean>"
    
    • unique_transforms_stanza_name: A unique name for this stanza.
    • REGEX = <regular expression>: A regular expression that defines how to match and extract dimensions from StatsD metrics data. The Splunk platform supports a named capturing-group extraction format (?<dim1>group)(?<dim2>group)... to provide dimension names for the corresponding values that are extracted.
    • REMOVE_DIMS_FROM_METRIC_NAME = <Boolean>: Specifies whether unmatched segments of the StatsD dotted name segment are used as the metric_name.
    • When true, dimension values are be removed from the measurement and the unmatched portion becomes the metric_name. The default value is true.

      When false, extracted dimension values are included in the metric_name.

      For example, a metric measurement name is "x.y.z". The regular expression matches "y" and "z". When REMOVE_DIMS_FROM_METRIC_NAME is true, metric_name is "x". When false, metric_name is "x.y.z".

    For example, enter the following command:

    curl -k -u admin:changeme https://localhost:8089/services/data/transforms/statsdextractions \
    -d "name=statsd-ex&REGEX=\.(?<hostname>\S%2B?)\.(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})&REMOVE_DIMS_FROM_METRIC_NAME=true"
    
  3. Reload the metrics processor to load the configuration changes by using the /admin/metrics-reload/_reload REST endpoint:
    https://<host>:<mPort>/services/admin/metrics-reload/_reload
    

    For example, enter the following command:

    curl -k -u admin:changeme \
    https://localhost:8089/services/admin/metrics-reload/_reload
    
  4. Create a data input for this source type as described in Set up a data input for StatsD data, and select your custom source type.
Last modified on 02 September, 2021
PREVIOUS
Configure special StatsD input customizations
  NEXT
Get metrics in from collectd

This documentation applies to the following versions of Splunk® Enterprise: 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters