Perform statistical calculations on metric time series
A metric time series is a set of metric data points that all share a unique combination of a metric and a set of dimension field-value pairs.
For example, say you have a metric named miles.driven. This metric represents the odometer readings of various race cars. Metric data points for miles.driven include the following dimensions: vehicle_type, engine_type, vehicle_number, and driver_name.
The following table displays a set of metric data points ordered by _time. You can see that they break out into two distinct metric time series for the miles.driven metric:
| _time | metric_name:miles.driven | vehicle_type | engine_type | vehicle_number | driver_name |
|---|---|---|---|---|---|
| 01-05-2020 16:26:42.025 -0700 | 134.0643 | Ferrari | F136 | 011 | LanaR |
| 01-05-2020 16:26:41.834 -0700 | 128.4515 | Ferrari | F136 | 009 | RavenM |
| 01-05-2020 16:26:41.655 -0700 | 133.7509 | Ferrari | F136 | 011 | LanaR |
| 01-05-2020 16:26:41.007 -0700 | 127.8861 | Ferrari | F136 | 009 | RavenM |
| 01-05-2020 16:26:40.623 -0700 | 127.1277 | Ferrari | F136 | 009 | RavenM |
| 01-05-2020 16:26:40.014 -0700 | 133.2482 | Ferrari | F136 | 011 | LanaR |
Both metric time series in this metric data point table have Ferrari as their vehicle type and F136 as their engine_type, but they have different vehicle_number and vehicle_driver values. The metric data points with vehicle_number=009 and driver_name=RavenM make up one distinct metric time series. The metric data points with vehicle_number=011 and driver_name=LanaR make up the other distinct metric time series.
As the different vehicle_number and driver_name values indicate, the metric data points in this sample are from two different cars that are being driven at roughly the same time. If you want to get the average rate(X) for the miles.driven metric, it doesn't make sense to calculate the average rate for all six of these metric data points. Instead, get the average rate grouped by metric time series, so you are not mixing the cars together.
You can perform statistical calculations on the time series associated with a particular metric if you call out all of the dimensions related to the metric in the search. But this approach can be unwieldy, especially for metrics that involve a large number of dimensions.
| mstats avg(miles.driven) BY vehicle_type engine_type vehicle_number driver_nameThe special _timeseries field replaces those potentially long dimension lists. Use it in conjunction with mstats to calculate statistics per time series. For example, this search retrieves the average miles.driven for both of the time series represented in the sample:
| mstats avg(miles.driven) BY _timeseriesFor more information, see mstats in Search Reference.
_timeseries is an internal field
_timeseries is an internal field and is hidden from the Splunk Web interface. If you want to display it in your results you need to implement a rename command to display _timeseries as timeseries or time_series.
| mstats avg(miles.driven) BY _timeseries | rename _timeseries AS timeseriesCombine _timeseries with group-by fields when its values are processed by commands other than mstats
_timeseries is a JSON-formatted field. Therefore, you might want to combine it with another group-by field if you need to process its values by an additional non-mstats command, such as stats. This method is best suited for situations where all of the results share the same metric time series.
The following search uses mstats to calculate the rate for the time series related to the miles.driven metric. Then it uses stats to calculate the sum of each of those rates.
mstats rate(miles.driven) as driven BY vehicle_number, _timeseries | stats sum(rate(miles.driven)) BY vehicle_numberrate_sum(X) function.See Time functions in the Search Reference.