Hi everyone,
I'm looking forward to do some Data Science with Splunk and was very happy to read about the Metrics Index the past days. But now that I've uploaded some sensor measures from my Mi Band (Steps and Heart Rate) I was wondering how to see the data. Is it even possible to see all data in an Metrics Index or should I use a casual Event Index for this purpose?
Then again I was wondering how I can use this new index structure in combination with custom search commands and if they behave in the same manner as before (getting a stream or the whole data as a resultset etc.). Is there something to consider when using csc in combination with mstats?
Finally I was wondering about the timespan which can be given to mstats. Apparently I thought it would work like the span with timechart command, but it does not seem so. For example the command index="sensordataEventIndex" | timechart max(_value) span=1d by metric_name
gives me complete different results than | mstats max(_value) span=1d WHERE metric_name=* AND index="sensordataMetricsIndex" by metric_name
. Can someone explain me the difference?
Thanks in advance and kind regards,
Bojan
At this time, the only commands that support Metrics Indexes are mstats
and mcatalog
. My understanding is that mcatalog
is only for getting metadata about the contents of the Metrics Index, whereas mstats
is the only command to query / visualize the data.
There is no great interface/dashboard pre-built in Splunk 7.0.0 for exploring Metrics data. Splunk released this Metrics Explorer app at .conf ( https://splunkbase.splunk.com/app/3726/ ), but it looks rushed and poorly put together in v0.1.2.
I know @sideview put a metrics explorer interface in his app at .conf. I haven't played with it, but you can find it here: https://sideviewapps.com/apps/sideview-utils/
As far as the data coming out, I think you have to assume that the output of mstats
is going to be just like tstats
, i.e., you use append
and prestats
in the same ways. With Metrics indexes, there are no such things as events, or at least that seems to be how Splunk is telling people to think about it.