Using comparison function within mstats

Splunk Search

Hello fellow Splunkthiasts!

I need some insights to understand how comparison functions in mstats could be used. Consider the following query:

| mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all BY host
| where pctUser > 50

As expected, it returns a list of hosts having latest CPU usage value higher than 50%.

However, according to mstats command reference, I can have comparison expression within WHERE clause and I'd expect it would be more efficient to rewrite the above query like this:

| mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all pctUser > 50 BY host

Unfortunately, this doesn't return any results. I tried to refer to metric before aggregation with no luck:

| mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all cpu_metric.pctUser > 50 BY host

What am I missing here?

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...