https://community.splunk.com/t5/Splunk-Search/How-to-correctly-use-mstats-rate-without-listing-all-dimensions/m-p/485761#M193605 <P>I have a monotonic counter metric named http_req and my metric data points are tagged with <EM>path</EM> and <EM>host</EM> dimensions, eg. path=/accounts or path=/transactions, host=server-1 or host=server-2.</P> <P>Application running on each host starts with metric value 0 and increases the value after every request processed. If host is restarted, counting restarts from 0. Every application creates it's own metric data points.</P> <P>I can create a visualization showing number of calls processed in time while grouping per path and discarding the host aspect using:</P> <PRE><CODE>| mstats rate(http_req) as http_req_rate WHERE index="metrices" by path,host span=1m | stats sum(http_req_rate) by _time,path | xyseries _time path sum(http_req_rate) </CODE></PRE> <P>I noticed that I need to specify all dimensions in BY clause of mstats for rate() to work correctly. Having known set of dimensions I can create proper query, but in the future more dimensions will be added.</P> <P>Can this query be written in such way that listing all the dimensions is not necessary? eg. is there something like presented below possible?</P> <PRE><CODE>| mstats ... by all-dimensions </CODE></PRE> Tue, 21 Jan 2020 12:38:24 GMT y0ft 2020-01-21T12:38:24Z https://community.splunk.com/t5/Splunk-Search/How-to-correctly-use-mstats-rate-without-listing-all-dimensions/m-p/485761#M193605 <P>I have a monotonic counter metric named http_req and my metric data points are tagged with <EM>path</EM> and <EM>host</EM> dimensions, eg. path=/accounts or path=/transactions, host=server-1 or host=server-2.</P> <P>Application running on each host starts with metric value 0 and increases the value after every request processed. If host is restarted, counting restarts from 0. Every application creates it's own metric data points.</P> <P>I can create a visualization showing number of calls processed in time while grouping per path and discarding the host aspect using:</P> <PRE><CODE>| mstats rate(http_req) as http_req_rate WHERE index="metrices" by path,host span=1m | stats sum(http_req_rate) by _time,path | xyseries _time path sum(http_req_rate) </CODE></PRE> <P>I noticed that I need to specify all dimensions in BY clause of mstats for rate() to work correctly. Having known set of dimensions I can create proper query, but in the future more dimensions will be added.</P> <P>Can this query be written in such way that listing all the dimensions is not necessary? eg. is there something like presented below possible?</P> <PRE><CODE>| mstats ... by all-dimensions </CODE></PRE> Tue, 21 Jan 2020 12:38:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correctly-use-mstats-rate-without-listing-all-dimensions/m-p/485761#M193605 y0ft 2020-01-21T12:38:24Z https://community.splunk.com/t5/Splunk-Search/How-to-correctly-use-mstats-rate-without-listing-all-dimensions/m-p/485762#M193606 <P>I found a workaround: add another dimension - tsid (time series identifier) - with random constant value for every counter.</P> <PRE><CODE>| mstats rate(http_req) as http_req_rate WHERE index="metrices" by tsid,path span=1m | stats sum(http_req_rate) by _time,path | xyseries _time path sum(http_req_rate) </CODE></PRE> Mon, 27 Jan 2020 09:12:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correctly-use-mstats-rate-without-listing-all-dimensions/m-p/485762#M193606 y0ft 2020-01-27T09:12:34Z https://community.splunk.com/t5/Splunk-Search/How-to-correctly-use-mstats-rate-without-listing-all-dimensions/m-p/485763#M193607 <P>I found a solution:</P> <PRE><CODE>| mstats rate(http_req) as http_req_rate WHERE index="metrices" by _timeseries,path span=1m | stats sum(http_req_rate) by _time,path | xyseries _time path sum(http_req_rate) </CODE></PRE> <P>Documentation around it could be improved. It is only mentioned in <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Metrics/Histogramdatatype">https://docs.splunk.com/Documentation/Splunk/8.0.1/Metrics/Histogramdatatype</A></P> Mon, 27 Jan 2020 13:55:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correctly-use-mstats-rate-without-listing-all-dimensions/m-p/485763#M193607 y0ft 2020-01-27T13:55:44Z