Searching OverOps data within Splunk

It might be useful to stream data from OverOps into Splunk for additional search, data discovery, visualizations and advanced analytics.

This can be achieved by utilizing the OverOps publish metrics capability, and can be configured by going to the OverOps settings menu. (Settings -> Publish Metrics)

But first, the Splunk environment will need to have the proper data input established to accept statsD data.  See Splunk documentation to create the data input:  https://docs.splunk.com/Documentation/Splunk/7.1.0/Metrics/GetMetricsInStatsd

Note the Splunk data input in this use case should be defined as the following:

  1. Port: UDP
  2. Source Type: Metrics -> StatsD
  3. App Context: Search & Reporting
  4. Index Type: Events

Now we can configure OverOps to publish metrics to the Splunk data input.

  1. From the OverOps UI, go to Settings -> Publish Metrics
  2. Turn the toggle on for StatsD
  3. For the server address, enter the <splunk server>:<splunk udp port number>
  4. Specify the metric formats.   

The formats above are recommended for Splunk to easily extract the fields via the Splunk regular expression extraction method.  See Splunk documentation to extract fields with regular expressions:  http://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/ExtractfieldsinteractivelywithIFX


Comments 0 comments

Please sign in to leave a comment.

Join conversation