Perform statistical calculations on metric time series
A metric time series is a set of metric data points that all share a unique combination of a metric and a set of dimension field-value pairs.
For example, say you have a metric named miles.driven
. This metric represents the odometer readings of various race cars. Metric data points for miles.driven
include the following dimensions: vehicle_type
, engine_type
, vehicle_number
, and driver_name
.
The following table displays a set of metric data points ordered by _time
. You can see that they break out into two distinct metric time series for the miles.driven
metric:
_time | metric_name:miles.driven | vehicle_type | engine_type | vehicle_number | driver_name |
---|---|---|---|---|---|
01-05-2020 16:26:42.025 -0700 | 134.0643 | Ferrari | F136 | 011 | LanaR |
01-05-2020 16:26:41.834 -0700 | 128.4515 | Ferrari | F136 | 009 | RavenM |
01-05-2020 16:26:41.655 -0700 | 133.7509 | Ferrari | F136 | 011 | LanaR |
01-05-2020 16:26:41.007 -0700 | 127.8861 | Ferrari | F136 | 009 | RavenM |
01-05-2020 16:26:40.623 -0700 | 127.1277 | Ferrari | F136 | 009 | RavenM |
01-05-2020 16:26:40.014 -0700 | 133.2482 | Ferrari | F136 | 011 | LanaR |
Both metric time series in this metric data point table have Ferrari
as their vehicle type and F136
as their engine_type
, but they have different vehicle_number
and vehicle_driver
values. The metric data points with vehicle_number=009
and driver_name=RavenM
make up one distinct metric time series. The metric data points with vehicle_number=011
and driver_name=LanaR
make up the other distinct metric time series.
As the different vehicle_number
and driver_name
values indicate, the metric data points in this sample are from two different cars that are being driven at roughly the same time. If you want to get the average rate(X)
for the miles.driven
metric, it doesn't make sense to calculate the average rate for all six of these metric data points. Instead, get the average rate grouped by metric time series, so you are not mixing the cars together.
You can perform statistical calculations on the time series associated with a particular metric if you call out all of the dimensions related to the metric in the search. But this approach can be unwieldy, especially for metrics that involve a large number of dimensions.
| mstats avg(miles.driven) BY vehicle_type engine_type vehicle_number driver_name
The special _timeseries
field replaces those potentially long dimension lists. Use it in conjunction with mstats
to calculate statistics per time series. For example, this search retrieves the average miles.driven
for both of the time series represented in the sample:
| mstats avg(miles.driven) BY _timeseries
For more information, see mstats
in Search Reference.
_timeseries is an internal field
_timeseries
is an internal field and is hidden from the Splunk Web interface. If you want to display it in your results you need to implement a rename
command to display _timeseries
as timeseries
or time_series
.
| mstats avg(miles.driven) BY _timeseries | rename _timeseries AS timeseries
Combine _timeseries with group-by fields when its values are processed by commands other than mstats
_timeseries
is a JSON-formatted field. Therefore, you might want to combine it with another group-by field if you need to process its values by an additional non-mstats command, such as stats
. This method is best suited for situations where all of the results share the same metric time series.
The following search uses mstats
to calculate the rate for the time series related to the miles.driven
metric. Then it uses stats
to calculate the sum of each of those rates.
mstats rate(miles.driven) as driven BY vehicle_number, _timeseries | stats sum(rate(miles.driven)) BY vehicle_number
You can simplify this example search by using the rate_sum(X)
function.
See Time functions in the Search Reference.
Search and monitor metrics | Investigate counter metrics |
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!