Is there a way to use the improved mstats syntax introduced in 7.1 (changes described here) with metrics that have spaces in their names? I'm getting an error "Term based search is not supported" when I try.
I'm trying out the new Splunk Add-on for Microsoft Windows version, which includes the transforms necessary for storing the permon data in metrics indexes. It works great, except for the cases where the perfmon counter name has spaces in it.
For example, this search works:
| mstats avg("Threads") where index=my_metric_index span=1m
But this one produces the error mentioned above:
| mstats avg("% Processor Time") where index=my_metric_index span=1m
I can get the result I need using the deprecated syntax like this, but there's a reason why it's deprecated:
| mstats avg(_value) where index=my_metric_index metric_name="% Processor Time" span=1m
Any good way to resolve this? Currently the only thing that comes to mind is removing or replacing the spaces using SEDCMD, but that doesn't seem very optimal.
Since I wasn't able to find another way, I went with the SEDCMD replacement approach.
SEDCMD-perfmons = s/(?<!\d\d) /_/g
This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).
Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.
I see the exact same behavior. Anyone have any pointers? Or a better workaround?,I see the exact same behavior. Does anyone have any pointers?
Since I wasn't able to find another way, I went with the SEDCMD replacement approach.
SEDCMD-perfmons = s/(?<!\d\d) /_/g
This SEDCMD only replaces spaces that are after 2 digits, to avoid replacing spaces in the timestamp (seemed to interfere with correct timestamp recognition).
Still not sure that this is the best approach, but since the regex is simple enough, I hope it will be ok for the data amounts I'm getting. At least until there's a better solution.
try to put the field name between single tick.
| mstats avg('% Processor Time')
Unfortunately, this doesn't work for me. Splunk seems to think that the first space signals the end of the avg expression - the error I get is
Error in 'mstats' command: Invalid token: avg('%