Splunk® Enterprise


Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Overview of metrics

Metrics is a feature for system administrators, IT, and service engineers that focuses on collecting, investigating, monitoring, and sharing metrics from your technology infrastructure, security systems, and business applications in real time.

In the Splunk platform, you use metric indexes to store metrics data. This index type is optimized for the storage and retrieval of metric data.

Metrics in the Splunk platform uses a custom index type that is optimized for metric storage and retrieval. You can run metrics-specific commands like mstats, mcatalog, and mpreview on the metric data points in those metric indexes. For example, the mstats command lets you apply aggregate functions such as average, sum, count, and rate to those data points, helping you isolate and correlate problems from different data sources.

When ingesting metrics data, each metric event is measured by volume like event data. However, the per-event size measurement is capped at 150 bytes. Metric events that exceed 150 bytes are recorded as only 150 bytes. Metric events less than 150 bytes are recorded as event size in bytes plus 18 bytes, up to a maximum of 150 bytes. Metrics data draws from the same license quota as event data.

Metrics indexing and search is case sensitive. This means, for example, that metrics search commands like mstats and mpreview treat the following as three distinct metrics: cap.gear, CAP.GEAR, and Cap.Gear.

What is a metric data point?

A metric is a single measurement at a specific point in time. If you combine that measurement with a timestamp and one or more dimensions, you have a metric data point. A single metric data point can contain one timestamp but multiple measurements and multiple dimensions.

Indicates when the measurements in the data point were taken. By default, metrics indexes are searchable at a second-by-second precision. To configure a metrics index to have subsecond precision, see Metrics indexes with millisecond timestamps in Managing Indexers and Clusters of Indexers.
A thing you are measuring. Metric names can include only upper-case letters, lower-case letters, numbers, underscores, dots, and colon symbols. Metric names use dots to separate their namespaces into segments. The dots enable the creation of metric hierarchies, such as spl.mlog.per_index_thruput.ev.
Metric names cannot include spaces or the reserved term metric_name. Metric names cannot begin with numbers or underscores.
A number (integer or double float) representing the value of a metric at a given point of time, such as a count.
A field-value combination of a metric_name and a corresponding numeric_value. Measurements always follow this syntax: metric_name:<metric_name>=<numeric_value>. For example: metric_name:cpu.idle=15 or metric_name:io.util=10.232.
Metadata fields that provide additional information about the measurements. Dimensions provide categories that you can use to filter or group metric data points. For example:
Region: us-east-1, us-west-1, us-west-2, us-central1
InstanceType: t2.medium, t2.large, m3.large, n1-highcpu-2
Technology: nginx, redis, tomcat
All metric data points have the following three default dimensions: host, source, and sourcetype. The Splunk software adds these dimensions to the metric data point when it indexes them. Even when a metric data point does not have any other dimensions, it can still be filtered or grouped by these default dimensions.

The following are examples of systems that generate metrics:

  • IT infrastructure, such as hosts, networks, and devices
  • System components, such as web servers and databases
  • Application-specific metrics, such as timers that measure performance of a function
  • Software as a Service (SaaS) systems
  • Sensors, such as Internet of Things (IoT) features

What is a metric time series?

A metric time series is a set of metric data points that measure the same things and have the same sets of dimensions. The following three metric data points form a metric time series. Note that each metric data point has measurements for the max.size.kb, current.size.kb, and current.size metrics and that they share the same dimension field-value combinations.

_time metric_name:max.size.kb metric_name:current.size.kb metric_name:current.size group name
08-05-2019 16:26:42.025 -0700 500 300 53 queue azd
08-05-2019 16:26:41.055 -0700 345 245 43 queue azd
08-05-2019 16:26:40.023 -0700 334 124 39 queue azd

See Perform statistical calculations on metric time series for more information about metric time series and how you can use the _timeseries field in mstats searches.

What features does the Splunk platform provide for metrics data?

The Splunk platform provides a fully-rounded metrics solution that runs from metrics data ingestion, indexing, and transformation on one end, to metrics search, analysis and reporting on the other.

Getting metrics data in
The Splunk platform utilizes a metric collection framework of agents and APIs to collect and ingest high-volume metrics. It supports line metric protocols like collectd and StatsD. The universal forwarder and heavy forwarder can use this collection framework to ingest metric data and securely forward it to a standalone metric index or a metric index cluster. See Get metrics data in.
Transforming event data into metric data at indexing time
The metric ingestion pipeline can transform your data at indexing time so that it conforms to the protocols of well-structured metrics. You can also use our log-to-metrics functionality to transform event data into metrics data as it is ingested and indexed. See Convert event logs to metric data points.
Converting event data into metric data at search time
The mcollect and meventcollect commands enable you to convert results of event data searches or streaming events into metric data points at search time. See the topics on the mcollect and meventcollect commands.
Searching and reporting on metric data
The metrics-specific mstats, mpreview, and mcatalog commands let you filter, aggregate and report on your metrics data. See Search and monitor metrics.
Visualizing and analyzing metric trends
The Analytics Workspace makes it easy to monitor and analyze trends in your metrics data without using the Splunk Search Processing Language(SPL). Use it to create interactive charts, visualize metric data correlations, and save your creations as charts or dashboards. see About the Analytics Workspace in the Analytics Workspace manual.
Last modified on 30 April, 2024
  Get started with metrics

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters