Hi All, I have a query that converts event logs to metrics (search time processing) : | index=<indexname> sourcetype=<sourcetype> host=<hostame> | spath input=log.dmc | eval metric_name = ...
See more...
Hi All, I have a query that converts event logs to metrics (search time processing) : | index=<indexname> sourcetype=<sourcetype> host=<hostame> | spath input=log.dmc | eval metric_name = 'log_processed.dmc.metricName' | eval tenantId = 'log.dmc.tenantId' | eval metric_value = tonumber('log_processed.dmc.value') | eval _time = strptime('log_processed.timestamp', "%Y-%m-%d %H:%M:%S.%3N") | fields _time, metric_name, tenantId, metric_value , | rename metric_value as metric_name::metric_value metric_name as metric | table metric "metric_name::metric_value" _time tenantId | mcollect index=test_metrics The test_metrics here is the index with metrics category. From the documentation , I understood the metric field should be displayed as below on using metric_name::metric_value. https://help.splunk.com/en/splunk-enterprise/get-data-in/metrics/9.4/introduction-to-metrics/get-started-with-metrics But with the query I am using , it is getting displayed as separate field with just numerical value (not in above screenshot example format). Also, metric_name field is getting displayed only after it is renamed. Please let me know what is that I am doing wrong. Thanks, PNV