Overview of metrics
Metrics is a feature for system administrators, IT, and service engineers that focuses on collecting, investigating, monitoring, and sharing metrics from your technology infrastructure, security systems, and business applications in real time.
In the Splunk platform, you use metric indexes to store metrics data. This index type is optimized for the storage and retrieval of metric data.
Metrics in the Splunk platform uses a custom index type that is optimized for metric storage and retrieval. You can run metrics-specific commands like
msearch on the metric data points in those metric indexes. For example, the
mstats command lets you apply aggregate functions such as average, sum, count, and rate to those data points, helping you isolate and correlate problems from different data sources.
As of release 8.0.0 of the Splunk platform, metrics indexing and search is case sensitive. This means, for example, that metrics search commands like
msearch treat the following as three distinct metrics:
What is a metric data point?
A metric is a single measurement at a specific point in time. If you combine that measurement with a timestamp and one or more dimensions, you have a metric data point. A single metric data point can contain one timestamp but multiple measurements and multiple dimensions.
- Indicates when the measurements in the data point were taken.
- A thing you are measuring. Uses a dotted hierarchy to refer to a namespace, such as
spl.mlog.per_index_thruput.ev. You can use any string as a metric name. Metric names can include letters, numbers, underscores, dots, and other symbols (with the exception of the reserved term "metric_name"). Metric names use dots to separate their namespaces into segments. The dots enable the creation of metric hierarchies.
- A number (integer or double float) representing the value of a metric at a given point of time, such as a count.
- A field-value combination of a
metric_nameand a corresponding
numeric_value. Measurements always follow this syntax:
metric_name:<metric_name>=<numeric_value>. For example:
- Metadata fields that provide additional information about the measurements. Dimensions provide categories that you can use to filter or group metric data points. For example:
- Region: us-east-1, us-west-1, us-west-2, us-central1
- InstanceType: t2.medium, t2.large, m3.large, n1-highcpu-2
- Technology: nginx, redis, tomcat
- All metric data points have the following three default dimensions:
sourcetype. The Splunk software adds these dimensions to the metric data point when it indexes them. Even when a metric data point does not have any other dimensions, it can still be filtered or grouped by these default dimensions.
The following are examples of systems that generate metrics:
- IT infrastructure, such as hosts, networks, and devices
- System components, such as web servers and databases
- Application-specific metrics, such as timers that measure performance of a function
- Software as a Service (SaaS) systems
- Sensors, such as Internet of Things (IoT) features
What is a metric time series?
A metric time series is a set of metric data points that measure the same things and have the same sets of dimensions. The following three metric data points form a metric time series. Note that each metric data point has measurements for the
current.size metrics and that they share the same dimension field-value combinations.
|08-05-2019 16:26:42.025 -0700||500||300||53||queue||azd|
|08-05-2019 16:26:41.055 -0700||345||245||43||queue||azd|
|08-05-2019 16:26:40.023 -0700||334||124||39||queue||azd|
See Perform statistical calculations on metric time series for more information about metric time series and how you can use the
_timeseries field in
What features does the Splunk platform provide for metrics data?
The Splunk platform provides a fully-rounded metrics solution that runs from metrics data ingestion, indexing, and transformation on one end, to metrics search, analysis and reporting on the other.
- Getting metrics data in
- The Splunk platform utilizes a metric collection framework of agents and APIs to collect and ingest high-volume metrics. It supports line metric protocols like collectd and StatsD. The universal forwarder and heavy forwarder can use this collection framework to ingest metric data and securely forward it to a standalone metric index or a metric index cluster. See Get metrics data in.
- Transforming event data into metric data at indexing time
- The metric ingestion pipeline can transform your data at indexing time so that it conforms to the protocols of well-structured metrics. You can also use our log-to-metrics functionality to transform event data into metrics data as it is ingested and indexed. See Convert event logs to metric data points.
- Converting event data into metric data at search time
meventcollectcommands enable you to convert results of event data searches or streaming events into metric data points at search time. See the topics on the
- Searching and reporting on metric data
- The metrics-specific
mcatalogcommands let you filter, aggregate and report on your metrics data. See Search and monitor metrics.
- Visualizing and analyzing metric trends
- The Analytics Workspace makes it easy to monitor and analyze trends in your metrics data without using the Splunk Search Processing Language(SPL). Use it to create interactive charts, visualize metric data correlations, and save your creations as charts or dashboards. see About the Analytics Workspace in the Analytics Workspace manual.
Get started with metrics
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0