This will do the trick: | mstats avg(cpu_metric.*) as cpu_* WHERE index=<your_metrics_index> by CPU, host | table CPU, host | eventstats max(CPU) as cpu_count by host | table cpu_count, host | eval cpu_count=cpu_count+   the data being used is from the add on Link to the splunk add on for Splunk Add-on for Unix and Linux docs  ... View more

Hi, can you help me know what were you running on port 8088 except the HEC? ... View more

Oh yeah I did that. also, I was making use of REPORT instead of TRANSFORM in props.conf this is what worked: Props.conf [source::ping] TRANSFORMS-add_static_fields = mystaticFieldValue Transforms.conf [mystaticFieldValue] SOURCE_KEY = _raw WRITE_META = true REGEX = (.*) FORMAT = item::31 Fields.conf [item] INDEXED = true ... View more

This does create the field. However, it doesn't seems to be a metatag, as the field is not working with tstats for example: |tstats count where index=main location=* by sourcetype   Following error appears: When used for 'tstats' searches, the 'WHERE' clause can contain only indexed fields. Ensure all fields in the 'WHERE' clause are indexed. Properly indexed fields should appear in fields.conf. ... View more

This query can be further modified into this: index="_internal" source="*metrics.log" per_index_thruput series=* NOT ingest_pipe=* |stats sum(kb) as kb values(host) as host by series however this query will also show the amount of KBs being logged into indexes via summary indexing (sourcetype=stash), which is supposed to be not charged. Hence, I would prefer this query: index=_internal type=usage idx IN (*) source="*license_usage.log" NOT (h="" OR h=" ") ... View more

In order to get metrics index info also: | rest /services/data/indexes count=0 datatype=all ... View more

/services/data/indexes is not listing the metrics indexes ... View more

The problem here is that |getservice gives the direct dependencies instead of the the child dependencies further down the service tree. ... View more