Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

metric stats

gerbert
Path Finder
‎03-10-2021 05:20 AM

Hello,

I'm still very new to splunk and I could use some help. I hope this question is not too general. I would like to use something like "|eval" before "|mstats", where I have to use |mstats because I use metric names. So just using "|stats" is no option.

So I want something like this:

|eval = new_field_name=substr(some_field_name, 3, 2)
|mstats max(some_metric_field) prestats=f chart=t chart.limit=200 WHERE index=some_index span=1h by new_field_name

 

But I get the error message:
Error in 'mstats' command: This command must be the first command of a search.


Another problem I have with metric data is that the following search gives me the results I want but is very slow. Any idea why or even better how to fix it?

|mpreview index=some_index  
|search non_metric_field!=0
|stats count by some_field_name

Labels (1)
Labels
Tags (1)
0 Karma
Reply

lorenzoalbanof
Explorer
‎05-17-2021 02:11 AM

Hi,

This is exactly my problem @gerbert.

I have overly informative metric_name values (containing what should be dimensions inside them, separated by a ".") and would like to extract shorter ones to aggregate upon. And then use mstats.

The trivial difference is that I would extract the new metric and dimension using rex

| rex field=metric_name "dim1\.dim2\.(?<dim3>.+?)\.(?<metric_name_short>\w+)"
| mstats avg(_value) as val WHERE index=indexz AND metric_name="dim1.dim2.*.*" span=5m by host, metric_name_short , dim3

But this is not allowed. So unless my admin re-indexes our metric index...

0 Karma
Reply

gerbert
Path Finder
‎05-21-2021 11:24 AM

I'm sorry I can't help you. We ended up reindexing exactly like you suggested in the end of your post.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...