All Apps and Add-ons

mstats - spaces in metric names

janispelss
Path Finder

Is there a way to use the improved mstats syntax introduced in 7.1 (changes described here) with metrics that have spaces in their names? I'm getting an error "Term based search is not supported" when I try.

I'm trying out the new Splunk Add-on for Microsoft Windows version, which includes the transforms necessary for storing the permon data in metrics indexes. It works great, except for the cases where the perfmon counter name has spaces in it.

For example, this search works:

| mstats avg("Threads") where index=my_metric_index span=1m

But this one produces the error mentioned above:

| mstats avg("% Processor Time") where index=my_metric_index span=1m

I can get the result I need using the deprecated syntax like this, but there's a reason why it's deprecated:

| mstats avg(_value) where index=my_metric_index metric_name="% Processor Time" span=1m

Any good way to resolve this? Currently the only thing that comes to mind is removing or replacing the spaces using SEDCMD, but that doesn't seem very optimal.

0 Karma
1 Solution

janispelss
Path Finder

Since I wasn't able to find another way, I went with the SEDCMD replacement approach.

SEDCMD-perfmons = s/(?<!\d\d) /_/g

This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).

Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.

View solution in original post

0 Karma

riptivoli
Engager

I see the exact same behavior. Anyone have any pointers? Or a better workaround?,I see the exact same behavior. Does anyone have any pointers?

0 Karma

janispelss
Path Finder

Since I wasn't able to find another way, I went with the SEDCMD replacement approach.

SEDCMD-perfmons = s/(?<!\d\d) /_/g

This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).

Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.

0 Karma

yannK
Splunk Employee
Splunk Employee

try to put the field name between single tick.

 | mstats avg('% Processor Time')
0 Karma

janispelss
Path Finder

Unfortunately, this doesn't work for me. Splunk seems to think that the first space signals the end of the avg expression - the error I get is

Error in 'mstats' command: Invalid token: avg('%
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...