Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- mstats - spaces in metric names
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to use the improved mstats syntax introduced in 7.1 (changes described here) with metrics that have spaces in their names? I'm getting an error "Term based search is not supported" when I try.
I'm trying out the new Splunk Add-on for Microsoft Windows version, which includes the transforms necessary for storing the permon data in metrics indexes. It works great, except for the cases where the perfmon counter name has spaces in it.
For example, this search works:
| mstats avg("Threads") where index=my_metric_index span=1m
But this one produces the error mentioned above:
| mstats avg("% Processor Time") where index=my_metric_index span=1m
I can get the result I need using the deprecated syntax like this, but there's a reason why it's deprecated:
| mstats avg(_value) where index=my_metric_index metric_name="% Processor Time" span=1m
Any good way to resolve this? Currently the only thing that comes to mind is removing or replacing the spaces using SEDCMD, but that doesn't seem very optimal.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since I wasn't able to find another way, I went with the SEDCMD replacement approach.
SEDCMD-perfmons = s/(?<!\d\d) /_/g
This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).
Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see the exact same behavior. Anyone have any pointers? Or a better workaround?,I see the exact same behavior. Does anyone have any pointers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since I wasn't able to find another way, I went with the SEDCMD replacement approach.
SEDCMD-perfmons = s/(?<!\d\d) /_/g
This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).
Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try to put the field name between single tick.
| mstats avg('% Processor Time')
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, this doesn't work for me. Splunk seems to think that the first space signals the end of the avg expression - the error I get is
Error in 'mstats' command: Invalid token: avg('%
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
