Search and monitor metrics
To analyze data in a metrics index, use mstats
, which is a reporting command. Using mstats
you can apply metric aggregations to isolate and correlate problems from different data sources. See mstats in the Search Reference manual.
To enumerate metric names, dimensions, and values, use mcatalog
, which is an internal search command. See mcatalog in the Search Reference manual.
Other search commands do not work with a metrics index.
Note the following differences:
- You cannot search metrics data for individual metric events.
- You cannot use automatic lookups with metrics data. This is because automatic lookups are applied to individual events, whereas metrics are analyzed as an aggregate.
- You cannot perform search-time extractions.
- You can enrich metrics with the equivalent of custom indexed fields, which are treated as dimensions.
- You can use reserved fields such as "source", "sourcetype", or "host" as dimensions. However, when extracted dimension names are reserved names, the name is prefixed with "extracted_" to avoid name collision. For example, if a dimension name is "host", search for "extracted_host" to find it.
- Dimensions that start with underscore ( _ ) are not indexed, so they are not searchable.
Search examples
To list all metric names in all metrics indexes:
| mcatalog values(metric_name) WHERE index=*
To list all dimensions in all metrics indexes:
| mcatalog values(_dims) WHERE index=*
To list counts of metric names over 10-second intervals:
| mstats count where metric_name=* span=10s BY metric_name
To perform a simple count of a dimension:
| mstats count where index=mymetricsdata metric_name=aws.ec2.CPUUtilization
To calculate an average value of measurements for every 30-second interval:
| mstats avg(_value) WHERE index=mymetricdata AND metric_name=aws.ec2.CPUUtilization span=30s
You can also display results in a chart. The following example uses a wildcard search and group by:
| mstats avg(_value) prestats=t WHERE index=mymetricindex AND metric_name="cpu.*" span=1m by metric_name
| timechart avg(_value) as "Avg" span=1m by metric_name
This type of search can be used to stack different CPU metrics that add up to 100%.
This search shows an example of using an EVAL statement:
| mstats avg(_value) as "Avg" WHERE metric_name="memory.free.value" span=5s
| eval mem_gb = Avg / 1024 / 1024 / 1024
| timechart max("mem_gb") span=5s
Use the REST API to list metrics data
You can also use the Metrics Catalog REST API endpoints to enumerate metrics data:
- Use the
GET /services/catalog/metricstore/metrics
endpoint to list metric names. - Use the
GET /services/catalog/metricstore/dimensions
endpoint to list dimension names. - Use the
GET /services/catalog/metricstore/dimensions/{dimension-name}/values
endpoint to list values for given dimensions.
You can also use filters with these endpoints to limit results by index, dimension, and dimension values.
See Metrics Catalog endpoint descriptions in the REST API Reference Manual.
Set up ingest-time log to metrics conversion with configuration files | Investigate counter metrics |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9
Feedback submitted, thanks!