Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I see the Data in a Metrics Index in Splunk 7?

bojanisch
Path Finder
‎10-17-2017 08:06 AM

Hi everyone,

I'm looking forward to do some Data Science with Splunk and was very happy to read about the Metrics Index the past days. But now that I've uploaded some sensor measures from my Mi Band (Steps and Heart Rate) I was wondering how to see the data. Is it even possible to see all data in an Metrics Index or should I use a casual Event Index for this purpose?

Then again I was wondering how I can use this new index structure in combination with custom search commands and if they behave in the same manner as before (getting a stream or the whole data as a resultset etc.). Is there something to consider when using csc in combination with mstats?

Finally I was wondering about the timespan which can be given to mstats. Apparently I thought it would work like the span with timechart command, but it does not seem so. For example the command index="sensordataEventIndex" | timechart max(_value) span=1d by metric_name gives me complete different results than | mstats max(_value) span=1d WHERE metric_name=* AND index="sensordataMetricsIndex" by metric_name. Can someone explain me the difference?

Thanks in advance and kind regards,
Bojan

0 Karma
Reply

rjthibod
Champion
‎10-19-2017 05:10 AM

At this time, the only commands that support Metrics Indexes are mstats and mcatalog. My understanding is that mcatalog is only for getting metadata about the contents of the Metrics Index, whereas mstats is the only command to query / visualize the data.

There is no great interface/dashboard pre-built in Splunk 7.0.0 for exploring Metrics data. Splunk released this Metrics Explorer app at .conf ( https://splunkbase.splunk.com/app/3726/ ), but it looks rushed and poorly put together in v0.1.2.

I know @sideview put a metrics explorer interface in his app at .conf. I haven't played with it, but you can find it here: https://sideviewapps.com/apps/sideview-utils/

As far as the data coming out, I think you have to assume that the output of mstats is going to be just like tstats, i.e., you use append and prestats in the same ways. With Metrics indexes, there are no such things as events, or at least that seems to be how Splunk is telling people to think about it.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...