×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
JoshMc
Loves-to-Learn
Member since: ‎06-26-2018
‎02-02-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-26-2018
View All

Re: How to search mstats and then filter the resul...

by SplunkTrust in Splunk Search
‎02-02-2024 02:08 PM
‎02-02-2024 02:08 PM
Maybe it's as easy as adding it in the where clause: | mstats latest_time(application_ready_time.value) as latest_ts WHERE index=my-metrics-index host=some-host app.name IN ("appname1", "appname2") BY app.name | eval past_threshold=if(now() - latest_ts >= 30, "Y", "N") | eval latest=strftime(latest_ts, "%Y-%m-%d %H:%M:%S") | table app.name latest past_threshold x Give that a try. If it doesn't work, you can just post filter it with something like | mstats latest_time(application_ready_time.value) as latest_ts where index=my-metrics-index host=some-host by app.name | search app.name IN ("appname1", "appname2") | eval past_threshold=if(now() - latest_ts >= 30, "Y", "N") | eval latest=strftime(latest_ts, "%Y-%m-%d %H:%M:%S") | table app.name latest past_threshold x The former with the app.names as part of the WHERE clause is probably preferable.  Splunk can often push these sorts of search terms down into the search itself, but I'm not sure if it does that with mstats.  Meaning, if it CAN do that, it'll perform the same as the first one (more or less).  But if it can't do that, it'll run quite a bit slower because it'll get all those stats off disk, then throw away all but the two sets you want to keep. But it would work, either way.  🙂 ... View more

Re: mstats and eval - getting free memory in GB in...

by in Splunk Search
‎08-08-2023 08:34 AM
‎08-08-2023 08:34 AM
When I try the accepted solution I get the error: Cannot filter on 'metric_name' in normalized syntax. Here's my query: | mstats avg(value) AS mem_b WHERE index="my-index" AND metric_name="jvm_memory_used" span=1m BY "app.name" | eval mem_gb = mem_b / 1024 /1024 / 1024 | stats max(mem_gb) BY "app.name" ... View more

Re: Is _time in UTC or local time?

by in Getting Data In
‎05-05-2023 07:55 AM
‎05-05-2023 07:55 AM
@GDustin wrote: "Local time" where? You specify your explicit local time in SH/SHC/SPL GUI service; "Account Setting>Time Zone" Otherwise local time where; the source, sourcetransport, indexer, SH Servicer, etc When using the Splunk UI (in a browser), then "local time" means that of the computer you're using.  ... View more

Re: HEC metrics result in "JsonLineBreaker" error

by in Monitoring Splunk
‎03-16-2023 07:54 PM
‎03-16-2023 07:54 PM
Hi @JoshMc  Maybe it's something in the _json sourcetype, which would normally be used for a normal JSON events is messing with the metrics. Try not selecting the preconfigured _json sourcetype in the token configuration.  As a metric index the JSON format is implied anyway, so just create a unique sourcetype name or even leave it unselected. The docs imply no sourcetype should be selected too... https://docs.splunk.com/Documentation/Splunk/latest/Metrics/GetMetricsInOther#Create_a_data_input_and_token_for_HEC Would be interested to know if this helps. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-02-2024 04:51 PM