Splunk® Enterprise

Metrics

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Perform statistical calculations on metric time series

A metric time series is a set of metric data points that all share a unique combination of a metric and a set of dimension field-value pairs.

For example, say you have a metric named miles.driven. This metric represents the odometer readings of various race cars. Metric data points for miles.driven include the following dimensions: vehicle_type, engine_type, vehicle_number, and driver_name.

The following table displays a set of metric data points ordered by _time. You can see that they break out into two distinct metric time series for the miles.driven metric:

_time metric_name:miles.driven vehicle_type engine_type vehicle_number driver_name
01-05-2020 16:26:42.025 -0700 134.0643 Ferrari F136 011 LanaR
01-05-2020 16:26:41.834 -0700 128.4515 Ferrari F136 009 RavenM
01-05-2020 16:26:41.655 -0700 133.7509 Ferrari F136 011 LanaR
01-05-2020 16:26:41.007 -0700 127.8861 Ferrari F136 009 RavenM
01-05-2020 16:26:40.623 -0700 127.1277 Ferrari F136 009 RavenM
01-05-2020 16:26:40.014 -0700 133.2482 Ferrari F136 011 LanaR

Both metric time series in this metric data point table have Ferrari as their vehicle type and F136 as their engine_type, but they have different vehicle_number and vehicle_driver values. The metric data points with vehicle_number=009 and driver_name=RavenM make up one distinct metric time series. The metric data points with vehicle_number=011 and driver_name=LanaR make up the other distinct metric time series.

As the different vehicle_number and driver_name values indicate, the metric data points in this sample are from two different cars that are being driven at roughly the same time. If you want to get the average rate(X) for the miles.driven metric, it doesn't make sense to calculate the average rate for all six of these metric data points. Instead, get the average rate grouped by metric time series, so you are not mixing the cars together.

You can perform statistical calculations on the time series associated with a particular metric if you call out all of the dimensions related to the metric in the search. But this approach can be unwieldy, especially for metrics that involve a large number of dimensions.

| mstats avg(miles.driven) BY vehicle_type engine_type vehicle_number driver_name

The special _timeseries field replaces those potentially long dimension lists. Use it in conjunction with mstats to calculate statistics per time series. For example, this search retrieves the average miles.driven for both of the time series represented in the sample:

| mstats avg(miles.driven) BY _timeseries

For more information, see mstats in Search Reference.

_timeseries is an internal field

_timeseries is an internal field and is hidden from the Splunk Web interface. If you want to display it in your results you need to implement a rename command to display _timeseries as timeseries or time_series.

| mstats avg(miles.driven) BY _timeseries | rename _timeseries AS timeseries

Combine _timeseries with group-by fields when its values are processed by commands other than mstats

_timeseries is a JSON-formatted field. Therefore, you might want to combine it with another group-by field if you need to process its values by an additional non-mstats command, such as stats. This method is best suited for situations where all of the results share the same metric time series.

The following search uses mstats to calculate the rate for the time series related to the miles.driven metric. Then it uses stats to calculate the sum of each of those rates.

mstats rate(miles.driven) as driven BY vehicle_number, _timeseries | stats sum(rate(miles.driven)) BY vehicle_number

You can simplify this example search by using the rate_sum(X) function.

See Time functions in the Search Reference.

Last modified on 12 September, 2024
Search and monitor metrics   Investigate counter metrics

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters