I try to use mstats and mcatalog command
it just simply does not work, I think its Splunk settings side Im missing,
such as this:
| mstats sum(bytes) latest(_time) where index=metrics_app_dest_survey by app_name
Im using admin account, is there anything wrong with user role capability?
I only see one thing relevant
list_metrics_catalog is added capability, but still not working,
What am I missing? thanks!
When you execute:
| mcatalog values(metric_name) where index=metrics_app_dest_survey
Do you get any values back?
You can't aggregate time so you need to remove latest(_time), this should work:
| mstats sum(bytes) where index=metrics_app_dest_survey by app_name