flow query syntax
The flow operator in the Splunk Infrastructure Monitoring Add-on retrieves metrics data and optional metadata using a SignalFlow query string. It uses the following syntax:
| sim flow query=<string> format=[table | raw] resolution=<integer> with_derived_metadata=[false|true] org_id=<string>
The flow query output stream is equivalent to the output stream produced by this SignalFlow expression:
Splunk Infrastructure Monitoring filters a stream of data points coming in for the metric <metricname> using the filter defined by the call to the filter() function <filterfunction>. The result is known in Infrastructure Monitoring as a data object. The publish() method creates an output data stream from the data object.
The SignalFlow background job that executes the expression sends the output from publish() to Splunk using WebSocket messages. Metrics collected by Infrastructure Monitoring software have a name prefixed by sf_ to indicate that Infrastructure Monitoring collected them. For more information about writing SignalFlow expressions, see Analyze Data Using SignalFlow in the Splunk Infrastructure Monitoring documentation.
Search parameters
| Parameter | Type | Optional/Required | Description |
|---|---|---|---|
query
|
String | Required | The search query that specifies the specific metrics data you want to return. |
format
|
table or raw | Optional | The output format. table outputs the results in a table. raw operates on each event as it is returned by a search. Default is table. |
resolution
|
Integer | Optional | Default is 30000. For more information about setting the resolution, see Resolution and data retention in Splunk Infrastructure Monitoring in the Splunk Observability documentation. |
with_derived_metadata
|
Boolean | Optional | Include the metadata associated with the metrics data. Default is false. |
org_id
|
String | Optional | Specify the ID of the Infrastructure Monitoring organization to fetch data from. If an ID is not specified, the default organization is used. |
Usage examples
You can use the plot editor within the Infrastructure Monitoring Chart Builder to build your SignalFlow query. For instructions and guidance, see Plotting Metrics and Events in the Chart Builder in the Splunk Infrastructure Monitoring documentation.
The following search fetches CPU utilization metrics data in table format with the default parameters resolution = 30000 and with_derived_metadata = false, which are optimized for performance.
| sim flow query="data('CPUUtilization', filter=filter('stat', 'mean') and filter('namespace', 'AWS/EC2') and filter('InstanceId', '*')).publish()"
The following search fetches memory free metrics data from Kubernetes node A from a specific Infrastructure Monitoring organization:
| sim flow query="data('memory.free', filter=filter('kubernetes_node', 'NodeA')).publish()" org_id=EUdM838A4AA
The following search fetches disk utilization metrics on a specific host machine. The response includes metadata, including dimensions, properties, and tags.
| sim flow query="data('disk.utilization', filter=filter('host_machine', 'x86_64')).publish() with_derived_metadata=true
The following search fetches disk I/O metrics for a specific device:
| sim flow query="data('system.disk.io', filter=filter('device', 'nvme0n1')).publish()"
| About the sim command available with the Splunk Infrastructure Monitoring Add-on | event query syntax |
This documentation applies to the following versions of Splunk® Infrastructure Monitoring Add-on: 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4
Download manual
Feedback submitted, thanks!