Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mstats command

Shakira1
Explorer
‎10-04-2023 12:07 AM

Hi,

I have this command: 

| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5

and I would like to count the host and trigger when I have less then 3 hosts. 

I tired something like that:

```|stats dc(host) as c_host | where c_host > 3,``` but its not working as usual .

 

any idea? thanks!  

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Shakira1
Explorer
‎10-04-2023 12:43 AM

this is my search: 

| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5

which is working fine. 

I just want to create a new alert that triggered when the host count is less then 3. 

how can I do that?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2023 12:46 AM

If that is your search, you should be getting an error!

Is the search relevant to the count you want i.e. should the count be based on the results of a working search, or from the index, or from part of the search?

0 Karma
Reply

Shakira1
Explorer
‎10-04-2023 01:08 AM

not sure why you say that. but its working.

just to be clear = value1 = to some internal parameter.

index = my index.

and base on that Im getting information about  the hosts . 

now I just want to count how many hosts reporting, when its less then 3 I want to trigger about it. 

hope its clear now. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2023 01:19 AM

| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host

has a missing double quote so will give you an error

Also, assuming that this is corrected, you will get a field called something like "avg(value1)"

This means that you no longer have a field called "value1" so the timechart command has no field to do an average on.

This is why the search you provided does not work.

Assuming it is the timechart table that you want to count hosts for, you could untable the chart table

| untable _time host average
| stats dc(host) as c_host 
| where c_host < 3

 

0 Karma
Reply

Shakira1
Explorer
‎10-04-2023 02:12 AM

now I see 

first I missed double quote, so you are correct - so my search is: 
| mstats avg("value1") prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5
 
now, if I want to search by what you worth:
| mstats avg("value1") prestats=true WHERE "index"="my_index" span=10s BY host
| untable _time host average | stats dc(host) as c_host 
 
OR
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5
| untable _time host average | stats dc(host) as c_host
 

 

Anyway, I want to use mstats function and get a count for the host. 
0 Karma
Reply

Shakira1
Explorer
‎10-04-2023 02:15 AM

Ok, now i see and get the data. 

 

thanks!

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2023 12:41 AM

It is not clear what you have actually tried and what is "not working". Please provide your full search, anonymised as necessary, and show how it is not working.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...