How to use eval with mstats

nouraali · ‎08-18-2021

Hi,

I want to run something similar to the below on metrics data stored in metrics index, can you please assist:

eval ip34 = if(ip=="37.25.139.34",1,0) ,ip35 = if(ip=="37.25.139.35",1,0)
| mstats sum(ip34) , sum(ip35) ,
         avg(bytes) , stdev(bytes) , median(bytes) 
         avg(response_time_s) , stdev(response_time_s) , median(response_time_s) 
  where index=sfp_metrics earliest=-5m@m latest=@m span=1m by uri

It gives me:

Any idea how to achieve this would be appreciated.

Best Regards,

venkatasri · ‎08-18-2021

Hi @nouraali

Never tried mstats your SPL need a change, try this

| mstats count(eval(ip=="37.25.139.34")) as ip34 , count(eval(ip=="37.25.139.35")) as ip35 ,
         avg(bytes) , stdev(bytes) , median(bytes) 
         avg(response_time_s) , stdev(response_time_s) , median(response_time_s) 
  where index=sfp_metrics earliest=-5m@m latest=@m span=1m by uri 
| eventstats sum(ip34) as ip34, sum(ip35) as ip35 by uri 
| table ip* avg* std* med* uri

nouraali · ‎08-19-2021

This gives me the below errors:

venkatasri · ‎08-19-2021

| mstats seems doesn't support stats style eval aggr functions. How about changing to stats?

index=sfp_metrics earliest=-5m@m latest=now
| bin span=1m _time
| stats count(eval(ip=="37.25.139.34")) as ip34, count(eval(ip=="37.25.139.35")) as ip35,avg(bytes),stdev(bytes),median(bytes),avg(response_time_s),stdev(response_time_s),median(response_time_s) by _time, uri 
| eventstats sum(ip34) as ip34, sum(ip35) as ip35 by uri 
| table ip* avg* std* med* uri

nouraali · ‎08-27-2021

This works only on events index, while the data i am searching is stored in metrics index.

How to use eval with mstats

eval

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms