All Apps and Add-ons

mstats - spaces in metric names

janispelss
Path Finder

Is there a way to use the improved mstats syntax introduced in 7.1 (changes described here) with metrics that have spaces in their names? I'm getting an error "Term based search is not supported" when I try.

I'm trying out the new Splunk Add-on for Microsoft Windows version, which includes the transforms necessary for storing the permon data in metrics indexes. It works great, except for the cases where the perfmon counter name has spaces in it.

For example, this search works:

| mstats avg("Threads") where index=my_metric_index span=1m

But this one produces the error mentioned above:

| mstats avg("% Processor Time") where index=my_metric_index span=1m

I can get the result I need using the deprecated syntax like this, but there's a reason why it's deprecated:

| mstats avg(_value) where index=my_metric_index metric_name="% Processor Time" span=1m

Any good way to resolve this? Currently the only thing that comes to mind is removing or replacing the spaces using SEDCMD, but that doesn't seem very optimal.

0 Karma
1 Solution

janispelss
Path Finder

Since I wasn't able to find another way, I went with the SEDCMD replacement approach.

SEDCMD-perfmons = s/(?<!\d\d) /_/g

This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).

Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.

View solution in original post

0 Karma

riptivoli
Engager

I see the exact same behavior. Anyone have any pointers? Or a better workaround?,I see the exact same behavior. Does anyone have any pointers?

0 Karma

janispelss
Path Finder

Since I wasn't able to find another way, I went with the SEDCMD replacement approach.

SEDCMD-perfmons = s/(?<!\d\d) /_/g

This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).

Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

try to put the field name between single tick.

 | mstats avg('% Processor Time')
0 Karma

janispelss
Path Finder

Unfortunately, this doesn't work for me. Splunk seems to think that the first space signals the end of the avg expression - the error I get is

Error in 'mstats' command: Invalid token: avg('%
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!