metric stats

gerbert · ‎03-10-2021

Hello,

I'm still very new to splunk and I could use some help. I hope this question is not too general. I would like to use something like "|eval" before "|mstats", where I have to use |mstats because I use metric names. So just using "|stats" is no option.

So I want something like this:

|eval = new_field_name=substr(some_field_name, 3, 2)
|mstats max(some_metric_field) prestats=f chart=t chart.limit=200 WHERE index=some_index span=1h by new_field_name

But I get the error message:
Error in 'mstats' command: This command must be the first command of a search.

Another problem I have with metric data is that the following search gives me the results I want but is very slow. Any idea why or even better how to fix it?

|mpreview index=some_index
|search non_metric_field!=0
|stats count by some_field_name

lorenzoalbanof · ‎05-17-2021

Hi,

This is exactly my problem @gerbert.

I have overly informative metric_name values (containing what should be dimensions inside them, separated by a ".") and would like to extract shorter ones to aggregate upon. And then use mstats.

The trivial difference is that I would extract the new metric and dimension using rex

| rex field=metric_name "dim1\.dim2\.(?<dim3>.+?)\.(?<metric_name_short>\w+)"
| mstats avg(_value) as val WHERE index=indexz AND metric_name="dim1.dim2.*.*" span=5m by host, metric_name_short , dim3

But this is not allowed. So unless my admin re-indexes our metric index...

gerbert · ‎05-21-2021

I'm sorry I can't help you. We ended up reindexing exactly like you suggested in the end of your post.

metric stats

stats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life