Solved: mstats and mcatalog simply does not work

deodion · ‎03-12-2019

I try to use mstats and mcatalog command
it just simply does not work, I think its Splunk settings side Im missing,

such as this:

| mstats sum(bytes) latest(_time) where index=metrics_app_dest_survey by app_name

Im using admin account, is there anything wrong with user role capability?
I only see one thing relevant list_metrics_catalog is added capability, but still not working,

What am I missing? thanks!

deodion · ‎03-27-2019

Hello thaggie,
thanks for replying, the problem with this is simply that I didnt setup the index type correctly, the index type should be metric.

View solution in original post

deodion · ‎03-27-2019

Hello thaggie,
thanks for replying, the problem with this is simply that I didnt setup the index type correctly, the index type should be metric.

thaggie_splunk · ‎03-27-2019

When you execute:

| mcatalog values(metric_name) where index=metrics_app_dest_survey

Do you get any values back?

You can't aggregate time so you need to remove latest(_time), this should work:

| mstats sum(bytes) where index=metrics_app_dest_survey by app_name

mstats and mcatalog simply does not work

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)