Hi All,
I have a query that converts event logs to metrics (search time processing) :
| index=<indexname> sourcetype=<sourcetype> host=<hostame>
| spath input=log.dmc
| eval metric_name = 'log_processed.dmc.metricName'
| eval tenantId = 'log.dmc.tenantId'
| eval metric_value = tonumber('log_processed.dmc.value')
| eval _time = strptime('log_processed.timestamp', "%Y-%m-%d %H:%M:%S.%3N")
| fields _time, metric_name, tenantId, metric_value ,
| rename metric_value as metric_name::metric_value metric_name as metric
| table metric "metric_name::metric_value" _time tenantId
| mcollect index=test_metrics
The test_metrics here is the index with metrics category.
From the documentation , I understood the metric field should be displayed as below on using metric_name::metric_value.
https://help.splunk.com/en/splunk-enterprise/get-data-in/metrics/9.4/introduction-to-metrics/get-sta...
But with the query I am using , it is getting displayed as separate field with just numerical value (not in above screenshot example format). Also, metric_name field is getting displayed only after it is renamed.
Please let me know what is that I am doing wrong.
Thanks,
PNV
Hi @Poojitha
The key here is to end up with a field called "metric_name:<yourMetricName>" with a numeric value containing your metric value.
For example:
metric_name:cpu_utilization=45.5
Here is an example SPL which might help, Ive used some sample data at the top to structure this for testing:
| makeresults
| eval _raw="{\"log.dmc\":{\"metricName\":\"cpu_utilization\",\"tenantId\":\"12345\",\"value\":75.3,\"timestamp\":\"2025-07-14 09:45:00.123\"}}"
| eval _raw=json_extract_exact(_raw,"log.dmc")
| spath
``` end of sample generation ```
| eval _time = strptime(timestamp, "%Y-%m-%d %H:%M:%S.%3N")
| eval metric_value = tonumber(value)
| eval metric_name:{metricName}=metric_value
| table tenantId metric_name*
|mcollect index=test_metrics
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Hi @Poojitha
The key here is to end up with a field called "metric_name:<yourMetricName>" with a numeric value containing your metric value.
For example:
metric_name:cpu_utilization=45.5
Here is an example SPL which might help, Ive used some sample data at the top to structure this for testing:
| makeresults
| eval _raw="{\"log.dmc\":{\"metricName\":\"cpu_utilization\",\"tenantId\":\"12345\",\"value\":75.3,\"timestamp\":\"2025-07-14 09:45:00.123\"}}"
| eval _raw=json_extract_exact(_raw,"log.dmc")
| spath
``` end of sample generation ```
| eval _time = strptime(timestamp, "%Y-%m-%d %H:%M:%S.%3N")
| eval metric_value = tonumber(value)
| eval metric_name:{metricName}=metric_value
| table tenantId metric_name*
|mcollect index=test_metrics
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
