Using comparison function within mstats

Splunk Search

Hello fellow Splunkthiasts!

I need some insights to understand how comparison functions in mstats could be used. Consider the following query:

| mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all BY host
| where pctUser > 50

As expected, it returns a list of hosts having latest CPU usage value higher than 50%.

However, according to mstats command reference, I can have comparison expression within WHERE clause and I'd expect it would be more efficient to rewrite the above query like this:

| mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all pctUser > 50 BY host

Unfortunately, this doesn't return any results. I tried to refer to metric before aggregation with no luck:

| mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all cpu_metric.pctUser > 50 BY host

What am I missing here?

Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...