Send metrics data from Ingest Processor to a Splunk platform metrics index

Send your data from Ingest Processor to a Splunk platform metrics index. First generate logs to metrics, and add a Splunk metrics store destination in the Ingest Processor service. Depending on the environment that your Ingest Processor is installed in, you can configure the destination to use different authentication methods to access your bucket: You can then create a pipeline that uses that destination. When you apply that pipeline to your Ingest Processor, the Ingest Processor starts sending data that it receives to a Splunk platform metrics index. Selecting Splunk metrics index as a destination involves selecting a metrics destination and a corresponding metrics index.

Prerequisites

Create metrics index

You can create metrics indexes with Splunk Web, the CLI, the REST API, or by editing the indexes.conf file directly. For more about metrics, see Overview of metrics in the Metrics manual.

Create a metrics index in Splunk Web

  1. In Splunk Web, navigate to Settings, then Indexes, and click New.
  2. For Index Name, type a name for the index. User-defined index names must consist of only numbers, lowercase letters, underscores, and hyphens. Index names cannot begin with an underscore or hyphen, or contain the word "kvstore".
  3. For Index Data Type, click Metrics.
  4. (Optional) Set Timestamp Resolution to Milliseconds if you want the metrics index to store metric data points at that increased level of granularity. Metrics indexes with millisecond timestamp resolution have decreased search performance. For more information, see Metrics indexes with millisecond timestamps in the Create custom indexes topic in the Managing Indexers and Clusters of Indexers manual.
  5. Enter the remaining properties of the index as needed. For details, see Create events indexes.
  6. Click Save.

On the Select a metrics destination page, select the name of the metrics index destination that you want to send your metrics to.

Steps

The following steps must be completed in order to send metrics data from Ingest Processor to a Splunk metrics index.

  1. Create a pipeline:

    1. On the Pipelines page, select New pipeline.

    2. Follow the on-screen instructions to define a partition, optionally enter sample data, and select a data destination. Set the data destination to the Splunk platform deployment that you want to send logs to.

    After you complete the on-screen instructions, the pipeline builder displays the SPL2 statement for your pipeline.

  2. Configure the pipeline to convert logs into metrics. For more information, see Generate logs into metrics using Ingest Processor.

    When you add the logs_to_metrics command to your pipeline, a pipeline action called Send data to $metrics_destination is also added to the pipeline.

  3. Select the Send data to $metrics_destination action to edit it. Do the following:

    1. Select the Splunk platform destination where your metrics index is located.

    2. Select one of the following options in the expanded destination panel:
      Option Description
      Default

      The pipeline does not route events to a specific index.

      If the event metadata already specifies an index, then the event is sent to that index. Otherwise, the event is sent to the default index of the Splunk Cloud Platform deployment.

      Note: Only select this option if your events include a metadata field named index that contains the name of your metrics index.
      Specify index for events with no index The pipeline only routes events to your specified index if the event metadata did not already specify an index.
      Specify index for all events The pipeline routes all events to your specified index.

    3. If you selected Specify index for events with no index or Specify index for all events, then from the Index name drop-down list, select the name of the metrics index that you want to send your data to.

      If your desired index is not available in the drop-down list, then confirm that the index is configured to be available to the tenant and then refresh the connection between the tenant and the Splunk Cloud Platform deployment. For detailed instructions, see Make more indexes available to the tenant.
      Note: If you're sending data to a Splunk Cloud Platform deployment, be aware that the destination index is determined by a precedence order of configurations. See How does Ingest Processor know which index to send data to? for more information.

    4. Select Apply to confirm the data destination for metrics.

  4. Save and apply your pipeline.