https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-search-metrics-index-with-mstats-to-aggregate-by-non/m-p/530651#M64253 <P>I am using&nbsp;<SPAN>Splunk Add-on for Unix and Linux 8.2.0 and enabled metrics index to collect disk usage.</SPAN></P><P>I can search the disk used percentage by below search but it is the average of all mount point.</P><LI-CODE lang="markup">| mstats avg(_value) where index=linux-os AND metric_name=df_metric.UsePct</LI-CODE><P>If I only want to stats metrics for a specific mount point, it seems there is no way to do it with mstats command. Is there any other approach to do it by utlizing the metrics index fast performance?</P><P>&nbsp;</P><P>By searching the raw data for the metrics index,&nbsp;</P><LI-CODE lang="markup">| msearch index=linux-os | search sourcetype=df_metric</LI-CODE><P>&nbsp;the search result is like below which shows data was ingested in _json format and metrics are created in a separate metrics index. However, in metrics index, there is no way to differentiate by MountedOn field as it's not a "metrics".</P><LI-CODE lang="markup">{ [-] Filesystem: /dev/vda1 IP_address: 10.1.2.3 MountedOn: / OS_name: Linux Server OS_version: 3 Type: ext4 entity_type: TA_Nix environment: dev metric_name:df_metric.Avail_KB: 11035324 metric_name:df_metric.Size_KB: 20509408 metric_name:df_metric.UsePct: 44 metric_name:df_metric.Used_KB: 8429164 }</LI-CODE><P>&nbsp;</P><P>Any thoughts or solution?</P> Tue, 24 Nov 2020 17:16:09 GMT chips 2020-11-24T17:16:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-search-metrics-index-with-mstats-to-aggregate-by-non/m-p/530651#M64253 <P>I am using&nbsp;<SPAN>Splunk Add-on for Unix and Linux 8.2.0 and enabled metrics index to collect disk usage.</SPAN></P><P>I can search the disk used percentage by below search but it is the average of all mount point.</P><LI-CODE lang="markup">| mstats avg(_value) where index=linux-os AND metric_name=df_metric.UsePct</LI-CODE><P>If I only want to stats metrics for a specific mount point, it seems there is no way to do it with mstats command. Is there any other approach to do it by utlizing the metrics index fast performance?</P><P>&nbsp;</P><P>By searching the raw data for the metrics index,&nbsp;</P><LI-CODE lang="markup">| msearch index=linux-os | search sourcetype=df_metric</LI-CODE><P>&nbsp;the search result is like below which shows data was ingested in _json format and metrics are created in a separate metrics index. However, in metrics index, there is no way to differentiate by MountedOn field as it's not a "metrics".</P><LI-CODE lang="markup">{ [-] Filesystem: /dev/vda1 IP_address: 10.1.2.3 MountedOn: / OS_name: Linux Server OS_version: 3 Type: ext4 entity_type: TA_Nix environment: dev metric_name:df_metric.Avail_KB: 11035324 metric_name:df_metric.Size_KB: 20509408 metric_name:df_metric.UsePct: 44 metric_name:df_metric.Used_KB: 8429164 }</LI-CODE><P>&nbsp;</P><P>Any thoughts or solution?</P> Tue, 24 Nov 2020 17:16:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-search-metrics-index-with-mstats-to-aggregate-by-non/m-p/530651#M64253 chips 2020-11-24T17:16:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-search-metrics-index-with-mstats-to-aggregate-by-non/m-p/530663#M64254 <P>&nbsp;</P><P>didn't realize I can use by clause on the non-metrics field.</P><LI-CODE lang="markup">|mstats avg(_value) where index=linux-os AND metric_name=df_metric.UsePct by MountedOn | where MountedOn="/opt"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 24 Nov 2020 18:58:48 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-search-metrics-index-with-mstats-to-aggregate-by-non/m-p/530663#M64254 chips 2020-11-24T18:58:48Z