We have updated our Terms of Service, Code of Conduct, and Addendum.

Cribl Edge (standalone): Windows Metrics - Splunk, do not result in actionable information

a.pietersen@eremote.nl
a.pietersen@eremote.nl Posts: 6
edited February 21 in General Discussions

I am new with Cribl.

Cribl Edge (standalone, installed on Windows 10 laptop for test/evaluation):

image.png



Windows Metrics do not return actionable information when forwarding to a standalone Splunk Enterprise instance.

What am I doing wrong or what I am missing here?

Windows Eventlog cribl-source is correctly received in json. But adding the Windows Metrics cribl-source to the same (working) Splunk Destination (default forwarding to port 9997) it shows:

image.png


All relevant metric_names seems to be received correctly, but no Values to find.
Besides, do not understand the metric_type "g".

I would expect a value-field in bytes

I have tried many things sofar, including Cloud Stream, searching in the docs and and start some basic first lessons on Cribl Universty. Neither an overall and understandable Google search explanation about type g. Stuck now!

Does somebody has a clue, suggestion, tip or direction to search in other sources?

Thanks

AshleyP

Tagged:

Answers

  • Jon Rust
    Jon Rust Posts: 507 mod

    It looks like you're sending to a normal splunk index? The metrics data needs to be sent to a metrics index. Can you confirm?

  • a.pietersen@eremote.nl
    a.pietersen@eremote.nl Posts: 6

    Thanks Jon for your respond,

    I will need to check, and trying to understand what you mean.

    But what other index do you suggest based on on port 9997. Nb. Cribl Edge advertise itself as an "Heavy Forwarder" in Splunk. Other ports, like I use for Kepware for many years now, van ingest OPC DA metrics and its IT-suite (windos eventlogs + windows metrics) does not seems to work fine). Trying to understand the benefit to step over to Cribl.

    If I activate a standard "universal forwarder" on e.g. port: 52122 it is not solving this issue. Btw:: we use Splunk Enterprise 9.4.0 and Cribl Edge 4.10

    Thanks and regards
    AshleyP

  • Jon Rust
    Jon Rust Posts: 507 mod

    This is a splunk issue. They have different index types for log data and metrics data. You need to send the metrics you're collecting to a metrics index. You can set the index in Cribl easily in a pipeline, or in the Source config under Fields.

  • a.pietersen@eremote.nl
    a.pietersen@eremote.nl Posts: 6

    Thanks Jon,

    I will need to investigate this further. Although I have experiment several paths, also within Splunk.

    regards

    Ashley

Categories