Splunk Search

metric stats

gerbert
Path Finder

Hello,

I'm still very new to splunk and I could use some help. I hope this question is not too general. I would like to use something like "|eval" before "|mstats", where I have to use |mstats because I use metric names. So just using "|stats" is no option.

So I want something like this:

|eval = new_field_name=substr(some_field_name, 3, 2)
|mstats max(some_metric_field) prestats=f chart=t chart.limit=200 WHERE index=some_index span=1h by new_field_name

 

But I get the error message:
Error in 'mstats' command: This command must be the first command of a search.


Another problem I have with metric data is that the following search gives me the results I want but is very slow. Any idea why or even better how to fix it?

|mpreview index=some_index  
|search non_metric_field!=0
|stats count by some_field_name

Labels (1)
Tags (1)
0 Karma

lorenzoalbanof
Explorer

Hi,

This is exactly my problem @gerbert.

I have overly informative metric_name values (containing what should be dimensions inside them, separated by a ".") and would like to extract shorter ones to aggregate upon. And then use mstats.

The trivial difference is that I would extract the new metric and dimension using rex

| rex field=metric_name "dim1\.dim2\.(?<dim3>.+?)\.(?<metric_name_short>\w+)"
| mstats avg(_value) as val WHERE index=indexz AND metric_name="dim1.dim2.*.*" span=5m by host, metric_name_short , dim3

But this is not allowed. So unless my admin re-indexes our metric index...

0 Karma

gerbert
Path Finder

I'm sorry I can't help you. We ended up reindexing exactly like you suggested in the end of your post.

0 Karma
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...