Splunk Search

mstats and mcatalog simply does not work

deodion
Path Finder

I try to use mstats and mcatalog command
it just simply does not work, I think its Splunk settings side Im missing,

such as this:

| mstats sum(bytes) latest(_time) where index=metrics_app_dest_survey by app_name

Im using admin account, is there anything wrong with user role capability?
I only see one thing relevant list_metrics_catalog is added capability, but still not working,

What am I missing? thanks!

0 Karma
1 Solution

deodion
Path Finder

Hello thaggie,
thanks for replying, the problem with this is simply that I didnt setup the index type correctly, the index type should be metric.

View solution in original post

0 Karma

deodion
Path Finder

Hello thaggie,
thanks for replying, the problem with this is simply that I didnt setup the index type correctly, the index type should be metric.

0 Karma

thaggie_splunk
Splunk Employee
Splunk Employee

When you execute:

| mcatalog values(metric_name) where index=metrics_app_dest_survey

Do you get any values back?

You can't aggregate time so you need to remove latest(_time), this should work:

| mstats sum(bytes) where index=metrics_app_dest_survey by app_name
0 Karma
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...