Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Metrics Index - How to get metric_searchtime field value in search result

shadabgaur
New Member
‎04-08-2019 07:03 PM

I uploaded a csv file in metric index. I can see index's data there is no issue in that.

My query is:
I want to get metric_timestamp in search query to perform some action on that. Is it possible to use "metric_timestamp" field in mstat commands? I always get error whenever I tried to apply any statistical function (i.e. latest etc) on "metric_timestamp" or used it as a dimension field (where index=xyz by metric_timestamp).

mcatalog just displays the schema, not the values from "metric_timestamp" field.

Any help is greatly appreciated. Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thaggie_splunk
Splunk Employee
Splunk Employee
‎04-09-2019 08:58 AM

For mstats to project by time you need to give it a span, so queries of the form:

| mstats avg("abc") WHERE index="xyz" span=10s

It's not possible to aggregate time, so you can't do things like latest("_time").

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thaggie_splunk
Splunk Employee
Splunk Employee
‎04-09-2019 08:58 AM

For mstats to project by time you need to give it a span, so queries of the form:

| mstats avg("abc") WHERE index="xyz" span=10s

It's not possible to aggregate time, so you can't do things like latest("_time").

0 Karma
Reply
Solved! Jump to solution

shadabgaur
New Member
‎04-09-2019 05:54 PM

Thanks for quick response Thaggie. So, we cannot use this field "metric_timestamp" in anywhere in our search except spanning the chart based on it.

0 Karma
Reply
Solved! Jump to solution

thaggie_splunk
Splunk Employee
Splunk Employee
‎04-10-2019 07:39 AM

That's right

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...