Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF

msearch

Description

Returns a list of the individual metric data points in a specified metric index that match a provided filter. msearch returns metric data points in JSON format by default.

The msearch command cannot search data that was indexed prior to your upgrade to the 8.0.x version of the Splunk platform.

You can use the msearch command only if your role has the run_msearch capability. See Define roles on the Splunk platform with capabilities in Securing Splunk Enterprise.

Syntax

msearch [filter=<string>] [<index-opt>]... [splunk_server=<wc-string>] [splunk_server_group=<wc-string>]... [earliest=<time-specifier>] [latest=<time-specifier>]

Required arguments

None. By default all types of terms are returned.

Optional arguments

filter
Syntax: filter= "<string>"
Description: An arbitrary boolean expression over the dimension or metric_name.
index-opt
Syntax: index=<index-name> (index=<index-name>)...
Description: Limits the search to results from one or more indexes. You can use wildcard characters (*). To match non-internal indexes, use index=*. To match internal indexes, use index=_*.
splunk_server
Syntax: splunk_server=<wc-string>
Description: Specifies the distributed search peer from which to return results. If you are using Splunk Enterprise, you can specify only one splunk_server argument. However, you can use a wildcard when you specify the server name to indicate multiple servers. For example, you can specify splunk_server=peer01 or splunk_server=peer*. Use local to refer to the search head.
splunk_server_group
Syntax: splunk_server_group=<wc-string>
Description: Limits the results to one or more server groups. If you are using Splunk Cloud, omit this parameter. You can specify a wildcard character in the string to indicate multiple server groups.
earliest
Syntax: earliest=<time-specifier>
Description: Specify the earliest _time for the time range of your search. You can specify an exact time (earliest="11/5/2016:20:00:00") or a relative time (earliest=-h or earliest=@w0).
latest
Syntax: earliest=<time-specifier>
Description: Specify the latest time for the _time range of your search. You can specify an exact time (latest="11/12/2016:20:00:00") or a relative time (latest=-30m or latest=@w6).

Usage

This search command generates a list of individual metric data points from a specified metric index that match a provided filter. The filter can be any arbitrary boolean expression over the dimensions or the metric_name. Specify earliest and latest to override the time range picker settings.

The msearch command is designed to display individual metric data points in JSON format. If you want to aggregate metric data points, use the mstats command.

Examples

1. Return data points that match a specific filter

This search returns individual data points from the _metrics index that match a specific filter.

| msearch index=_metrics filter="group=queue name=indexqueue metric_name=*.current_size"

Here is an example of a JSON-formatted result of the above search.

This screenshot shows an example of a metric data point that has been returned by a search with the msearch command. It is in JSON format, which arranges the dimensions and measures in a column.

2. Return individual data points from the metrics index

| msearch index=_metrics

See also

Commands
mcatalog
mcollect
mstats
PREVIOUS
mstats
  NEXT
multikv

This documentation applies to the following versions of Splunk Cloud: 8.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters