Hello,
I'm still very new to splunk and I could use some help. I hope this question is not too general. I would like to use something like "|eval" before "|mstats", where I have to use |mstats because I use metric names. So just using "|stats" is no option.
So I want something like this:
|eval = new_field_name=substr(some_field_name, 3, 2)
|mstats max(some_metric_field) prestats=f chart=t chart.limit=200 WHERE index=some_index span=1h by new_field_name
But I get the error message:
Error in 'mstats' command: This command must be the first command of a search.
Another problem I have with metric data is that the following search gives me the results I want but is very slow. Any idea why or even better how to fix it?
|mpreview index=some_index
|search non_metric_field!=0
|stats count by some_field_name
Hi,
This is exactly my problem @gerbert.
I have overly informative metric_name values (containing what should be dimensions inside them, separated by a ".") and would like to extract shorter ones to aggregate upon. And then use mstats.
The trivial difference is that I would extract the new metric and dimension using rex
| rex field=metric_name "dim1\.dim2\.(?<dim3>.+?)\.(?<metric_name_short>\w+)"
| mstats avg(_value) as val WHERE index=indexz AND metric_name="dim1.dim2.*.*" span=5m by host, metric_name_short , dim3
But this is not allowed. So unless my admin re-indexes our metric index...
I'm sorry I can't help you. We ended up reindexing exactly like you suggested in the end of your post.