Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

It is possible to use a variable under mstats search?

soulmaker
Explorer
‎09-13-2023 09:11 PM

Hi there, 

I am trying to make a statistic graph in my dashboard using the search below.  

| mstats rate(vault.runtime.total_gc_pause_ns.value) as gc_pause WHERE `vault_telemetry` AND cluster=* AND (host=*) BY host span=5m
| timechart max(gc_pause) AS iowait bins=1000 BY host
| eval warning=3.3e7, critical=8.3e7

**Note that the search below comes from the pre-defined dashboard template but it is not working as is in my environment. 

In my Splunk, when I do a mpreview of my index `vault_telemetry` I am getting a result like the below:

metric_name:vault.hostname1.runtime.total_gc_pause_ns
metric_name:vault.hostname2.runtime.total_gc_pause_ns
metric_name:vault.hostname3.runtime.total_gc_pause_ns
metric_name:vault.hostname3.runtime.total_gc_pause_ns
metric_name:vault.hostname4.runtime.total_gc_pause_ns

If I modify the pre-defined search from the template using the below I can get the result however, I can only do it on one hostname. 

| mstats rate(vault.hostname1.runtime.total_gc_pause_ns) as gc_pause WHERE `vault_telemetry` span=5m
| timechart max(gc_pause) AS iowait bins=1000
| eval warning=3.3e7, critical=8.3e7

 

I would like to have all the hostname shows on my single panel. Can someone please able to assist and help me with the correct search index I need to use?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-13-2023 09:18 PM

If I understood correctly, just use wildcards

| mstats rate(vault.hostname*.runtime.total_gc_pause_ns) as gc_pause_* WHERE `vault_telemetry` span=5m
| timechart max(gc_pause_*) AS iowait_* bins=1000
| eval warning=3.3e7, critical=8.3e7

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-13-2023 09:18 PM

If I understood correctly, just use wildcards

| mstats rate(vault.hostname*.runtime.total_gc_pause_ns) as gc_pause_* WHERE `vault_telemetry` span=5m
| timechart max(gc_pause_*) AS iowait_* bins=1000
| eval warning=3.3e7, critical=8.3e7

 

Reply
Solved! Jump to solution

soulmaker
Explorer
‎09-13-2023 10:09 PM

Your a real legend @bowesmana . I didn't realize that you can put wildcards in the middle. Thank you so much for your help. I am new to Splunk so your help is really helpful. 

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...