Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

metric stats

gerbert
Path Finder
‎03-10-2021 05:20 AM

Hello,

I'm still very new to splunk and I could use some help. I hope this question is not too general. I would like to use something like "|eval" before "|mstats", where I have to use |mstats because I use metric names. So just using "|stats" is no option.

So I want something like this:

|eval = new_field_name=substr(some_field_name, 3, 2)
|mstats max(some_metric_field) prestats=f chart=t chart.limit=200 WHERE index=some_index span=1h by new_field_name

 

But I get the error message:
Error in 'mstats' command: This command must be the first command of a search.


Another problem I have with metric data is that the following search gives me the results I want but is very slow. Any idea why or even better how to fix it?

|mpreview index=some_index  
|search non_metric_field!=0
|stats count by some_field_name

Labels (1)
Labels
Tags (1)
0 Karma
Reply

lorenzoalbanof
Explorer
‎05-17-2021 02:11 AM

Hi,

This is exactly my problem @gerbert.

I have overly informative metric_name values (containing what should be dimensions inside them, separated by a ".") and would like to extract shorter ones to aggregate upon. And then use mstats.

The trivial difference is that I would extract the new metric and dimension using rex

| rex field=metric_name "dim1\.dim2\.(?<dim3>.+?)\.(?<metric_name_short>\w+)"
| mstats avg(_value) as val WHERE index=indexz AND metric_name="dim1.dim2.*.*" span=5m by host, metric_name_short , dim3

But this is not allowed. So unless my admin re-indexes our metric index...

0 Karma
Reply

gerbert
Path Finder
‎05-21-2021 11:24 AM

I'm sorry I can't help you. We ended up reindexing exactly like you suggested in the end of your post.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...