is there a way to remove the metric event but still send it to splunk not as a metric
is there a way to remove the metric event but still send it to splunk not as a metric (if i hover over it says metric event) i was trying to move _value to value and _metric to metric__name
Answers
-
Remove __criblMetric field (I think that's the name). That's where the metric data comes from. Does that do what you want ?
0 -
maybe . its causing splunk to not even search it cause i think splunk sees this as a metric even though im trying to push it not to
0 -
How did it turn into a metric event? Was it sent to Stream as such ?
0 -
ya prometheus /write
0 -
but alot of these are like data healthcheck up/down
0 -
To search for it in splunk it needs to go to a metric index if it's a metric. Remove that field I mentioned and it can go to a regular index and be searched.
0 -
__criblMetric right
0 -
i tried in the function in pipeline
0 -
View it in preview and enable the internal fields to get the exact name. I'm away from keyboard.
0 -
ahhh thx
0 -
It's plural at the very least.
0 -
__criblEventType:event
0 -
__criblMetrics:
0 -
cool thanks it worked theres no M there anymore for metrics
0
