All Apps and Add-ons

mstats - spaces in metric names

Path Finder

Is there a way to use the improved mstats syntax introduced in 7.1 (changes described here) with metrics that have spaces in their names? I'm getting an error "Term based search is not supported" when I try.

I'm trying out the new Splunk Add-on for Microsoft Windows version, which includes the transforms necessary for storing the permon data in metrics indexes. It works great, except for the cases where the perfmon counter name has spaces in it.

For example, this search works:

| mstats avg("Threads") where index=my_metric_index span=1m

But this one produces the error mentioned above:

| mstats avg("% Processor Time") where index=my_metric_index span=1m

I can get the result I need using the deprecated syntax like this, but there's a reason why it's deprecated:

| mstats avg(_value) where index=my_metric_index metric_name="% Processor Time" span=1m

Any good way to resolve this? Currently the only thing that comes to mind is removing or replacing the spaces using SEDCMD, but that doesn't seem very optimal.

0 Karma
1 Solution

Path Finder

Since I wasn't able to find another way, I went with the SEDCMD replacement approach.

SEDCMD-perfmons = s/(?<!\d\d) /_/g

This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).

Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.

View solution in original post

0 Karma

Engager

I see the exact same behavior. Anyone have any pointers? Or a better workaround?,I see the exact same behavior. Does anyone have any pointers?

0 Karma

Path Finder

Since I wasn't able to find another way, I went with the SEDCMD replacement approach.

SEDCMD-perfmons = s/(?<!\d\d) /_/g

This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).

Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

try to put the field name between single tick.

 | mstats avg('% Processor Time')
0 Karma

Path Finder

Unfortunately, this doesn't work for me. Splunk seems to think that the first space signals the end of the avg expression - the error I get is

Error in 'mstats' command: Invalid token: avg('%
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!