Default: 10000000 (10 million) fillnull_value Description: This argument sets a user-specified value that the mstats command substitutes for null values for any field within its group-by field list. For mstats, chunk_size cannot be set lower than 10000. A higher chunk_size, on the other hand, can help long-running searches to complete faster, with the potential tradeoff of causing the search to be less responsive. In such situations, a lower chunk_size value can make mstats searches more responsive, but potentially slower to complete. This can happen when a search groups by excessively high-cardinality dimensions (dimensions with very large amounts of distinct values). Lower this setting from its default only when you find a particular mstats search is using too much memory, or when it infrequently returns events.
#Splunk tstats command software
tsidx file) when the Splunk software processes searches.
#Splunk tstats command series
This argument controls how many metric time series are retrieved at a time from a single time-series index file (. chunk_size Syntax: chunk_size= Description: Advanced option. See the Chart options section in this topic.
Default: chart=f Syntax: chart.limit | chart.agg | enull | eother | chart.nullstr | chart.otherstr Description: Options that you can specify to refine the result. The second grouping field represents the y-axis and is a series split field. The first grouping field represents the chart x-axis. Without a span, the mstats chart mode requires one or two grouping fields. When no span is provided, the chart mode follows a format similar to that of the chart or timechart commands. When a span is provided, the mstats chart mode format resembles that of the timechart command, and can support at most one group-by field, which is used as the series splitting field. The mstats charting mode is valid only when prestats=f. Default: true chart Syntax: chart= Description: When set to chart=t, the mstats data output has a format suitable for charting.
When backfill=true, the mstats command runs a search on historical data to backfill events before searching the in-memory real-time data. Default: false backfill Syntax: backfill= Description: Valid only with real-time searches that have a time window. This argument runs the mstats command and adds the results to an existing set of results instead of generating new results. Optional arguments append Syntax: append= Description: Valid only when prestats=true. See Stats metric term options for details on the and syntax options. In these cases you can apply a wildcard to catch all of the permutations of the metric_name. You only need to use the syntax in cases where a single metric may be represented by several different metric names, such as cpu.util and cpu.utilization. You cannot blend the syntax and the syntax for most cases. Use for cases where a wildcard can be used to represent several metrics.
Use to perform statistical calculations on one or more metrics that you name in the argument. Required arguments Syntax: | Description: Provides two options for performing statistical calculations on metrics. The mstats command provides the best search performance when you use it to search a single metric_name value or a small number of metric_name values. When you use mstats in a real-time search with a time window, a historical search runs first to backfill the data. You can use mstats in historical searches and real-time searches. This command performs statistics on the measurement, metric_name, and dimension fields in metric indexes. Use the mstats command to analyze metrics.
0 kommentar(er)
