Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are data model metrics not showing up with this search?

locose
Path Finder
‎02-08-2017 12:09 PM

The following searches work : 

| tstats `xxxx_summaries_only` avg(All_Performance.Memory.swap_free) AS swap_free FROM datamodel=COY_Performance  WHERE nodename="All_Performance.Memory"  AND All_Performance.dest="hostname-11"

| tstats `xxxx_summaries_only` avg(All_Performance.Memory.swap) AS swap FROM datamodel=COY_Performance  WHERE nodename="All_Performance.Memory"  AND All_Performance.dest="hostname-11"

This doesn’t work

| tstats `xxxx_summaries_only` avg(All_Performance.Memory.swap_used) AS swap_used  FROM datamodel=COY_Performance  WHERE nodename="All_Performance.Memory"  AND All_Performance.dest="hostname-11"

But via the pivot on the datamodel, I do see metrics from "All_Performance.Memory.swap_used".

Any reason why my search returns nothing for 

| tstats `xxxx_summaries_only` avg(All_Performance.Memory.swap_used) AS swap_used  FROM datamodel=COY_Performance  WHERE nodename="All_Performance.Memory"  AND All_Performance.dest="hostname-11"
0 Karma
Reply

ehudb
Contributor
‎02-08-2017 03:07 PM

Try using values() instead of avg(), to check what values are extracting.
Maybe that field configuration in the datamodel was supposed to be a number but was configured as a string?

0 Karma
Reply

locose
Path Finder
‎02-09-2017 06:08 AM

Values() doesn't work and the field is configured as number

0 Karma
Reply

ehudb
Contributor
‎02-09-2017 06:39 AM

What do you mean values doesn't work?
What result you get for:

| tstats xxxx_summaries_only values(All_Performance.Memory.swap_used) AS swap_used FROM datamodel=COY_Performance WHERE nodename="All_Performance.Memory" AND All_Performance.dest="hostname-11"

0 Karma
Reply

locose
Path Finder
‎02-09-2017 07:04 AM

correct.
tstats xxxx_summaries_only values(All_Performance.Memory.swap_used) AS swap_used FROM datamodel=COY_Performance WHERE nodename="All_Performance.Memory" AND All_Performance.dest="hostname-11"

didn't work

0 Karma
Reply

ehudb
Contributor
‎02-09-2017 07:07 AM

didn't work, but what do you get as a result?

0 Karma
Reply

locose
Path Finder
‎02-09-2017 07:13 AM

"no results found"

0 Karma
Reply

ehudb
Contributor
‎02-09-2017 07:16 AM

Try to view the table in the pivot, and click "open in search"
Then inspect the search details and look in search.log
You will find the |tstats that was running in the background

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...