Splunk® Enterprise


Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Overview of metrics

Metrics is a feature for system administrators, IT, and service engineers that focuses on collecting, investigating, monitoring, and sharing metrics from your technology infrastructure, security systems, and business applications in real time.

In the Splunk platform, you use metric indexes to store metrics data. This index type is optimized for the storage and retrieval of metric data.

Metrics in the Splunk platform uses a custom index type that is optimized for metric storage and retrieval. You can run metrics-specific commands like mstats, mcatalog, and msearch on the metric data points in those metric indexes. For example, the mstats command lets you apply aggregate functions such as average, sum, count, and rate to those data points, helping you isolate and correlate problems from different data sources.

As of release 8.0.0 of the Splunk platform, metrics indexing and search is case sensitive. This means, for example, that metrics search commands like mstats and msearch treat the following as three distinct metrics: cap.gear, CAP.GEAR, and Cap.Gear.

What is a metric data point?

A metric is a single measurement at a specific point in time. If you combine that measurement with a timestamp and one or more dimensions, you have a metric data point. A single metric data point can contain one timestamp but multiple measurements and multiple dimensions.

Indicates when the measurements in the data point were taken.
A thing you are measuring. Uses a dotted hierarchy to refer to a namespace, such as spl.mlog.per_index_thruput.ev. You can use any string as a metric name. Metric names can include letters, numbers, underscores, dots, and other symbols (with the exception of the reserved term "metric_name"). Metric names use dots to separate their namespaces into segments. The dots enable the creation of metric hierarchies.
A number (integer or double float) representing the value of a metric at a given point of time, such as a count.
A field-value combination of a metric_name and a corresponding numeric_value. Measurements always follow this syntax: metric_name:<metric_name>=<numeric_value>. For example: metric_name:cpu.idle=15 or metric_name:io.util=10.232.
Metadata fields that provide additional information about the measurements. Dimensions provide categories that you can use to filter or group metric data points. For example:
Region: us-east-1, us-west-1, us-west-2, us-central1
InstanceType: t2.medium, t2.large, m3.large, n1-highcpu-2
Technology: nginx, redis, tomcat
All metric data points have the following three default dimensions: host, source, and sourcetype. The Splunk software adds these dimensions to the metric data point when it indexes them. Even when a metric data point does not have any other dimensions, it can still be filtered or grouped by these default dimensions.

The following are examples of systems that generate metrics:

  • IT infrastructure, such as hosts, networks, and devices
  • System components, such as web servers and databases
  • Application-specific metrics, such as timers that measure performance of a function
  • Software as a Service (SaaS) systems
  • Sensors, such as Internet of Things (IoT) features

What is a metric time series?

A metric time series is a set of metric data points that measure the same things and have the same sets of dimensions. The following three metric data points form a metric time series. Note that each metric data point has measurements for the max.size.kb, current.size.kb, and current.size metrics and that they share the same dimension field-value combinations.

_time metric_name:max.size.kb metric_name:current.size.kb metric_name:current.size group name
08-05-2019 16:26:42.025 -0700 500 300 53 queue azd
08-05-2019 16:26:41.055 -0700 345 245 43 queue azd
08-05-2019 16:26:40.023 -0700 334 124 39 queue azd

See Perform statistical calculations on metric time series for more information about metric time series and how you can use the _timeseries field in mstats searches.

What features does the Splunk platform provide for metrics data?

The Splunk platform provides a fully-rounded metrics solution that runs from metrics data ingestion, indexing, and transformation on one end, to metrics search, analysis and reporting on the other.

Getting metrics data in
The Splunk platform utilizes a metric collection framework of agents and APIs to collect and ingest high-volume metrics. It supports line metric protocols like collectd and StatsD. The universal forwarder and heavy forwarder can use this collection framework to ingest metric data and securely forward it to a standalone metric index or a metric index cluster. See Get metrics data in.
Transforming event data into metric data at indexing time
The metric ingestion pipeline can transform your data at indexing time so that it conforms to the protocols of well-structured metrics. You can also use our log-to-metrics functionality to transform event data into metrics data as it is ingested and indexed. See Convert event logs to metric data points.
Converting event data into metric data at search time
The mcollect and meventcollect commands enable you to convert results of event data searches or streaming events into metric data points at search time. See the topics on the mcollect and meventcollect commands.
Searching and reporting on metric data
The metrics-specific mstats, msearch, and mcatalog commands let you filter, aggregate and report on your metrics data. See Search and monitor metrics.
Visualizing and analyzing metric trends
The Analytics Workspace makes it easy to monitor and analyze trends in your metrics data without using the Splunk Search Processing Language(SPL). Use it to create interactive charts, visualize metric data correlations, and save your creations as charts or dashboards. see About the Analytics Workspace in the Analytics Workspace manual.
Last modified on 15 September, 2020
Get started with metrics

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters