Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using mstats to create separate columns per metrics

kutsyy
Engager
‎11-21-2017 04:19 PM

I know that I can combine multiple metrics using mstats as:

| mstats avg(_value) AS "Average" WHERE metric_name=metric_name* span=1m by metric_name, host

this would create a row per metric_name*. Instead of this I want to have 1 column per metric_name*, something along the lines:

| mstats avg(_value of metric_name1) AS "Average1" avg(_value of metric_name2) AS "Average2" WHERE metric_name=metric_name* span=1m by host

How could I do this?

Thank you,

Vadim

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thaggie_splunk
Splunk Employee
Splunk Employee
‎11-30-2017 11:20 AM

I think this should do the trick, though you have to hand code the metrics, no metric_name*:

| mstats avg(_value) as metric_name1 WHERE metric_name="metric_name1" by host span=1m
| join type=left _time [
  | mstats avg(_value) as metric_name2 WHERE metric_name="metric_name2" by host span=1m
]

Without the host column you can do:

| mstats avg(_value) WHERE metric_name="metric_name*" by metric_name span=1m
| timechart first(avg(_value)) by metric_name span=1m

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thaggie_splunk
Splunk Employee
Splunk Employee
‎11-30-2017 11:20 AM

I think this should do the trick, though you have to hand code the metrics, no metric_name*:

| mstats avg(_value) as metric_name1 WHERE metric_name="metric_name1" by host span=1m
| join type=left _time [
  | mstats avg(_value) as metric_name2 WHERE metric_name="metric_name2" by host span=1m
]

Without the host column you can do:

| mstats avg(_value) WHERE metric_name="metric_name*" by metric_name span=1m
| timechart first(avg(_value)) by metric_name span=1m
0 Karma
Reply
Solved! Jump to solution

peiffer
Path Finder
‎03-24-2024 05:33 PM

Have there been any updates on methodologies for extacting multiple metrics in a single mstats call?  I can do the work with a join across _time and dimensions held in common, but after about 2 metrics, the method gets a bit tedious.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-28-2017 05:09 PM

Hi kutsyy,

if I got your question right, you can get the expect result by adding a chart to your mstats search like this:

| mstats avg(_value) AS avg_v max(_value) AS max_v min(_value) AS min_v WHERE index="meh-tricks" AND source="http:collectd" AND metric_name=cpu.percent* span=1m by host
| eval idle=if(metric_name=="cpu.percent.idle.value", max_v, null()), user=if(metric_name=="cpu.percent.user.value", max_v, null()) 
| chart values(idle) AS idle values(user) AS user over _time by host

This will get you a chart view with column contains the values for different metric, like the screenshot below:
alt text

Please adjust to your needs, because I'm pretty sure you will not have an index called meh-tricks 😉

Hope this helps ...

cheers, MuS

Preview file
1 KB
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...