Docs » Getting Started » Concepts » Data Model

Data Model πŸ”—

Metrics πŸ”—

A metric is a measurable number that varies over time. Multiple sources or emitters, such as host machines, usually report the same metric. Infrastructure Monitoring can store dimension metadata for these sources or emitters. A combination of a metric and a dimension name and value forms a metric time series (MTS). Individual metric values in an MTS are called datapoints.

  • CPU utilization % of a server
  • Response time in milliseconds of an API call
  • The number of unique users who logged in over the previous 24-hour period

For more information about metrics and the metadata available for finding, filtering, and aggregating data for building charts and configuring detectors for alerting, see Metrics and Metadata.

Metric time series πŸ”—

The same metric can be reported from multiple sources or emitters, and each unique combination of a source and a metric is referred to as a metric time series in Infrastructure Monitoring. For example, suppose you report on the CPU utilization of 10 hosts in a cluster. Then, CPU utilization is the metric and you have time series that represent the CPU utilization over time for each host.

Datapoints πŸ”—

The individual measurements that make up a time series are datapoints. Each datapoint sent to Infrastructure Monitoring contains four pieces of information: metric type, metric name, metric value, and zero or more dimensions.

  • Metric type β€” One of three predefined types: counter, cumulative counter, or gauge. The metric type specified determines the default visualization rollup that Infrastructure Monitoring uses when combining multiple values of this metric for longer time scales.

  • Metric name β€” A name that identifies the values being sent in. For example:, CPUUtilization, transaction.cost, page_visits. For information on naming constraints, see name requirements.

  • Metric value β€” The actual measurement from your system, represented as a number.

  • Dimensions β€” Key/value pairs that are used to identify the source of the datapoint and other useful contextual information. Common examples of dimensions include host names, the environment from which the metric is being generated, or the name of the service with which it is associated.

    Dimensions are one of several forms of metadata in Infrastructure Monitoring that are useful in aggregating and filtering metrics. For example, sending an environment dimension with each datapoint would allow you to suppress alerts on metrics coming from the test environment, but direct alerts from production to your operations team’s preferred messaging system.

Events and event time series πŸ”—

Splunk Infrastructure Monitoring captures and generates events. For the purpose of monitoring, an event is a noteworthy occurrence, such as:

  • A new version of code was released
  • Response time for an API call was much higher than normal
  • A container was stopped

An event time series is the event equivalent of a metric time series. For example, if you alert on when the response time for an API call is higher than normal, then Infrastructure Monitoring will generate an event time series representing the history of those alerts, with each event representing an individual occurrence of the alert.