Perform statistical calculations on metric time series
For example, say you have a metric named
miles.driven. This metric represents the odometer readings of various race cars. Metric data points for
miles.driven include the following dimensions:
The following table displays a set of metric data points ordered by
_time. You can see that they break out into two distinct metric time series for the
|01-05-2020 16:26:42.025 -0700||134.0643||Ferrari||F136||011||LanaR|
|01-05-2020 16:26:41.834 -0700||128.4515||Ferrari||F136||009||RavenM|
|01-05-2020 16:26:41.655 -0700||133.7509||Ferrari||F136||011||LanaR|
|01-05-2020 16:26:41.007 -0700||127.8861||Ferrari||F136||009||RavenM|
|01-05-2020 16:26:40.623 -0700||127.1277||Ferrari||F136||009||RavenM|
|01-05-2020 16:26:40.014 -0700||133.2482||Ferrari||F136||011||LanaR|
Both metric time series in this metric data point table have
Ferrari as their vehicle type and
F136 as their
engine_type, but they have different
vehicle_driver values. The metric data points with
driver_name=RavenM make up one distinct metric time series. The metric data points with
driver_name=LanaR make up the other distinct metric time series.
As the different
driver_name values indicate, the metric data points in this sample are from two different cars that are being driven at roughly the same time. If you want to get the average
rate(X) for the
miles.driven metric, it doesn't make sense to calculate the average rate for all six of these metric data points. Instead, get the average rate grouped by metric time series, so you are not mixing the cars together.
You can perform statistical calculations on the time series associated with a particular metric if you call out all of the dimensions related to the metric in the search. But this approach can be unwieldy, especially for metrics that involve a large number of dimensions.
| mstats avg(miles.driven) BY vehicle_type engine_type vehicle_number driver_name
_timeseries field replaces those potentially long dimension lists. Use it in conjunction with
mstats to calculate statistics per time series. For example, this search retrieves the average
miles.driven for both of the time series represented in the sample:
| mstats avg(miles.driven) BY _timeseries
For more information, see
mstats in Search Reference.
_timeseries is an internal field
_timeseries is an internal field and is hidden from the Splunk Web interface. If you want to display it in your results you need to implement a
rename command to display
| mstats avg(miles.driven) BY _timeseries | rename _timeseries AS timeseries
Combine _timeseries with group-by fields when its values are processed by commands other than mstats
_timeseries is a JSON-formatted field. Therefore, you might want to combine it with another group-by field if you need to process its values by an additional non-mstats command, such as
stats. This method is best suited for situations where all of the results share the same metric time series.
The following search uses
mstats to calculate the rate for the time series related to the
miles.driven metric. Then it uses
stats to calculate the sum of each of those rates.
mstats rate(miles.driven) as driven BY vehicle_number, _timeseries | stats sum(rate(miles.driven)) BY vehicle_number
You can simplify this example search by using the
See Time functions in the Search Reference.
Search and monitor metrics
Investigate counter metrics
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 9.0.0, 9.0.1