Splunk Enterprise

Filter by tag in mstats

Loves-to-Learn Everything


I started using tags by tagging my hosts with the environment they are in and the service the host. Using these tags in log/event indices works perfectly well, but I am not able to filter by tags in mstats. I tried many variations of "WHERE tag=env.prod" or "WHERE "tag::host"="env.prod" but none return any results.
I checked that these tags really are there with mpreview which shows all the tags on the specific hosts and I also was able to filter with a small workaround using the tags command:


| mstats rate(os.unix.nmon.storage.diskread) AS read rate(os.unix.nmon.storage.diskwrite) AS write WHERE `my-metric-indizes` AND (host=*) BY host span=5m
| tags
| WHERE "service.vault" IN (tag) AND "env.prod" in (tag)
| stats sum(read) AS read, sum(write) AS write by _time,host
| timechart max(read) as read, max(write) as write bins=1000 by host


Is there a way to filter by a tag directly in mstats? The workaround is not very performance friendly...

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...