Splunk® Enterprise

Metrics

# Perform statistical calculations on metric time series

A metric time series is a set of metric data points that all share a unique combination of a metric and a set of dimension field-value pairs.

For example, say you have a metric named `miles.driven`. This metric represents the odometer readings of various race cars. Metric data points for `miles.driven` include the following dimensions: `vehicle_type`, `engine_type`, `vehicle_number`, and `driver_name`.

The following table displays a set of metric data points ordered by `_time`. You can see that they break out into two distinct metric time series for the `miles.driven` metric:

_time metric_name:miles.driven vehicle_type engine_type vehicle_number driver_name
01-05-2020 16:26:42.025 -0700 134.0643 Ferrari F136 011 LanaR
01-05-2020 16:26:41.834 -0700 128.4515 Ferrari F136 009 RavenM
01-05-2020 16:26:41.655 -0700 133.7509 Ferrari F136 011 LanaR
01-05-2020 16:26:41.007 -0700 127.8861 Ferrari F136 009 RavenM
01-05-2020 16:26:40.623 -0700 127.1277 Ferrari F136 009 RavenM
01-05-2020 16:26:40.014 -0700 133.2482 Ferrari F136 011 LanaR

Both metric time series in this metric data point table have `Ferrari` as their vehicle type and `F136` as their `engine_type`, but they have different `vehicle_number` and `vehicle_driver` values. The metric data points with `vehicle_number=009` and `driver_name=RavenM` make up one distinct metric time series. The metric data points with `vehicle_number=011` and `driver_name=LanaR` make up the other distinct metric time series.

As the different `car_number` and `driver_name` values indicate, the metric data points in this sample are from two different cars that are being driven at roughly the same time. If you want to get the average `rate(X)` for the `miles.driven` metric, it doesn't make sense to calculate the average rate for all six of these metric data points. Instead, get the average rate grouped by metric time series, so you are not mixing the cars together.

You can perform statistical calculations on the time series associated with a particular metric if you call out all of the dimensions related to the metric in the search. But this approach can be unwieldy, especially for metrics that involve a large number of dimensions.

`| mstats avg(miles.driven) BY vehicle_type engine_type vehicle_number driver_name`

The special `_timeseries` field replaces those potentially long dimension lists. Use it in conjunction with `mstats` to calculate statistics per time series. For example, this search retrieves the average `miles.driven` for both of the time series represented in the sample:

`| mstats avg(miles.driven) BY _timeseries`

For more information, see `mstats` in Search Reference.

## _timeseries is an internal field

`_timeseries` is an internal field and is hidden from the Splunk Web interface. If you want to display it in your results you need to implement a `rename` command to display `_timeseries` as `timeseries` or `time_series`.

`| mstats avg(miles.driven) BY _timeseries | rename _timeseries AS timeseries`

## Combine _timeseries with group-by fields when its values are processed by commands other than mstats

`_timeseries` is a JSON-formatted field. Therefore, you might want to combine it with another group-by field if you need to process its values by an additional non-mstats command, such as `stats`. This method is best suited for situations where all of the results share the same metric time series.

The following search uses `mstats` to calculate the rate for the time series related to the `miles.driven` metric. Then it uses `stats` to calculate the sum of each of those rates.

`mstats rate(miles.driven) as driven BY vehicle_number, _timeseries | stats sum(rate(miles.driven)) BY vehicle_number`

You can simplify this example search by using the `rate_sum(X)` function.

See Time functions in the Search Reference.