topic Re: metric stats in Splunk Search

metric stats

gerbert — Wed, 10 Mar 2021 13:20:40 GMT

Hello,

I'm still very new to splunk and I could use some help. I hope this question is not too general. I would like to use something like "|eval" before "|mstats", where I have to use |mstats because I use metric names. So just using "|stats" is no option.

So I want something like this:

|eval = new_field_name=substr(some_field_name, 3, 2)
|mstats max(some_metric_field) prestats=f chart=t chart.limit=200 WHERE index=some_index span=1h by new_field_name

But I get the error message:
Error in 'mstats' command: This command must be the first command of a search.

Another problem I have with metric data is that the following search gives me the results I want but is very slow. Any idea why or even better how to fix it?

|mpreview index=some_index
|search non_metric_field!=0
|stats count by some_field_name

Re: metric stats

lorenzoalbanof — Mon, 17 May 2021 09:11:44 GMT

Hi,

This is exactly my problem @gerbert.

I have overly informative metric_name values (containing what should be dimensions inside them, separated by a ".") and would like to extract shorter ones to aggregate upon. And then use mstats.

The trivial difference is that I would extract the new metric and dimension using rex

| rex field=metric_name "dim1\.dim2\.(?<dim3>.+?)\.(?<metric_name_short>\w+)"
| mstats avg(_value) as val WHERE index=indexz AND metric_name="dim1.dim2.*.*" span=5m by host, metric_name_short , dim3

But this is not allowed. So unless my admin re-indexes our metric index...

Re: metric stats

gerbert — Fri, 21 May 2021 18:24:25 GMT

I'm sorry I can't help you. We ended up reindexing exactly like you suggested in the end of your post.