Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you search metrics? (contradictory documentation)

sillingworth
Path Finder
‎10-23-2018 09:26 AM

The documentation appears to contradict itself on this. The mstats documentation tends to perform its functions on the metric name (eg "avg(this_is_my_metric_name)") and states:

The WHERE clause cannot filter by metric_name. metric_name filtering is performed based on the metric_name fields specified by the <stats-metric-term> argument.

but the Metrics documentation does the opposite in its examples - its stats-metric-term is "_value" rather than a metric name, and its where clause filters on the metric name:

| mstats avg(_value) WHERE index=mymetricdata AND metric_name=aws.ec2.CPUUtilization span=30s

So which is the truth, and why do the documents contradict each other, or am I misunderstanding something?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thaggie_splunk
Splunk Employee
Splunk Employee
‎10-23-2018 09:57 AM

mstats can be used in two ways, where the metric name is used in the aggregation and where it is used in the filter.
To group by time, you add a span.

These are equivalent:

| mstats avg(_value) WHERE metric_name="my.metric.name" AND index="my-metrics-index" span=10s
| mstats avg(my.metric.name) WHERE index="my-metrics-index" span=10s

View solution in original post

Reply
Solved! Jump to solution
Solution

thaggie_splunk
Splunk Employee
Splunk Employee
‎10-23-2018 09:57 AM

mstats can be used in two ways, where the metric name is used in the aggregation and where it is used in the filter.
To group by time, you add a span.

These are equivalent:

| mstats avg(_value) WHERE metric_name="my.metric.name" AND index="my-metrics-index" span=10s
| mstats avg(my.metric.name) WHERE index="my-metrics-index" span=10s
Reply
Solved! Jump to solution

sillingworth
Path Finder
‎10-23-2018 10:06 AM

So I should never put "by _time" - simply including a span does that automatically?

0 Karma
Reply
Solved! Jump to solution

thaggie_splunk
Splunk Employee
Splunk Employee
‎10-23-2018 10:08 AM

That is correct

0 Karma
Reply
Solved! Jump to solution

thaggie_splunk
Splunk Employee
Splunk Employee
‎10-23-2018 10:10 AM

A good way to learn the mstats command is to install the "Metrics Workspace" app https://splunkbase.splunk.com/app/4192/ and see what it does.

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎12-16-2018 09:50 PM

Good learning about "metrics" feature. thanks for sharing.

0 Karma
Reply
Solved! Jump to solution

sillingworth
Path Finder
‎10-23-2018 10:12 AM

Great - I'll do that, as I'm still struggling to do anything more than a simple search (eg a time chart by host). Thanks.

0 Karma
Reply
Solved! Jump to solution

sillingworth
Path Finder
‎10-23-2018 09:29 AM

Also, does anybody have an example of grouping by _time that actually works? I always get "Error in 'mstats' command: Metrics Processor: Specify the span argument to group events by time." even after including a span.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...