Skip to main content

Hello,

I have some trouble sending out system metrics from an Edge node to eventually Splunk. When the data stream is leaving Edge (captured at step 4) it still contains internal fields related to a metric event. When the data is collected in Stream all of those internal fields are missing and I'm ending up with a _raw field. There are no pipelines interfering with the data at all between Edge and Stream. Just a passthrough is set. Am I missing the point here? 🙂

Do I have to manually transform the _raw to metric events again from Stream forwards? Is there a way to preserve the internal fields from Edge to Stream? Last resort is to send it out directly to Splunk HEC from Edge node but I want to channel as much through Stream as possible.

Any thoughts? Thanks in advance!,
Reemster

So, even for Edge to Stream, the internal metrics dont get passed. I was told this was being worked on, but I guess not.

On my post processing pipeline I do an eval for the metrics sourcetype/indes:

criblMetrics = __criblMetrics

Then, back in Stream, I just re-assign it back:

__criblMetrics = criblMetrics

That is how I do it right now on version 3.1.2

This was tracked internally in CRIBL-9744. I show it marked as fixed as of the 3.5.0 release. What version are you seeing this in?

Hi,

Im currently on version 3.5.1.

Regards,
Reemster

What protocol are you using to send between Edge and Worker? Cribl TCP or Cribl HTTP would be the preferred options.

Im using TCP at the moment. When I did a complete reinstall of worker and edge node the metrics are flowing in again. No clue what caused the issue. It has been resolved!

Thanks for the feedback and have a nice weekend!

Reemster

Reply


Terms & ConditionsCookie settings