Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I see the Data in a Metrics Index in Splunk 7?

bojanisch
Path Finder
‎10-17-2017 08:06 AM

Hi everyone,

I'm looking forward to do some Data Science with Splunk and was very happy to read about the Metrics Index the past days. But now that I've uploaded some sensor measures from my Mi Band (Steps and Heart Rate) I was wondering how to see the data. Is it even possible to see all data in an Metrics Index or should I use a casual Event Index for this purpose?

Then again I was wondering how I can use this new index structure in combination with custom search commands and if they behave in the same manner as before (getting a stream or the whole data as a resultset etc.). Is there something to consider when using csc in combination with mstats?

Finally I was wondering about the timespan which can be given to mstats. Apparently I thought it would work like the span with timechart command, but it does not seem so. For example the command index="sensordataEventIndex" | timechart max(_value) span=1d by metric_name gives me complete different results than | mstats max(_value) span=1d WHERE metric_name=* AND index="sensordataMetricsIndex" by metric_name. Can someone explain me the difference?

Thanks in advance and kind regards,
Bojan

0 Karma
Reply

rjthibod
Champion
‎10-19-2017 05:10 AM

At this time, the only commands that support Metrics Indexes are mstats and mcatalog. My understanding is that mcatalog is only for getting metadata about the contents of the Metrics Index, whereas mstats is the only command to query / visualize the data.

There is no great interface/dashboard pre-built in Splunk 7.0.0 for exploring Metrics data. Splunk released this Metrics Explorer app at .conf ( https://splunkbase.splunk.com/app/3726/ ), but it looks rushed and poorly put together in v0.1.2.

I know @sideview put a metrics explorer interface in his app at .conf. I haven't played with it, but you can find it here: https://sideviewapps.com/apps/sideview-utils/

As far as the data coming out, I think you have to assume that the output of mstats is going to be just like tstats, i.e., you use append and prestats in the same ways. With Metrics indexes, there are no such things as events, or at least that seems to be how Splunk is telling people to think about it.

Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...
li.common.scroll-to.top