Splunk – Metrics Getting Data In my HEC Class

If you are using Splunk v7 you may be looking into the new Metrics store. This is a specialized index time summary index.

If you want to play with it you can use my Splunk HTTP Collector Python Class.   Setup a HEC token and Metric index as outlined in the Splunk Docs. Look at the section “Get metrics in from clients over HTTP or HTTPS”.

Then write a little python to make a HEC connection object then set the payload to match the requirements from the Metrics docs.

Here is an example block of code from modifying my example.py from my class git repo.

A couple of comments. First note the “event” part of the payload that normally has your event dict is just the word “metric”. This is required by Splunk for Metrics via HEC. Next, put your metric payload into the “fields” part of the HEC payload. This is a dict that HEC turns into index time extractions. Normally you want to minimize HEC index time extractions. However, Metrics is solely index time. You have to set your metric_name and _value for that measurement in the fields dict. Additionally any other fields under the fields dict become the dimensions fields the Metrics docs talk about.

Enjoy exploring the metrics store in Splunk.