Splunk Search

How to show events per second in timechart regardless of span?

Ayn
Legend

I'm creating a dashboard for web surfing activity which shows, among other things, the number of requests per second as well as the amount of bandwidth generated per second by these requests. The user is able to select the timespan in these charts so I don't want to specify a static span argument to timechart. The second case with bytes per second is solved by using per_second:

| timechart per_second(bytes) as "Bytes per second"

However per_second can't be used to do the same with the event count as it's not a field. If span was static I could do for instance timechart span=5m eval(count(bytes)/300) as "Requests per second" but I would like to avoid having to set the span like that. The only other way I've been able to think of is

| timechart count as reqcount | timechart per_second(reqcount) as "Requests per second"

but that seems a bit too resource consuming. Any ideas on other ways of making this work?

Tags (3)
1 Solution

sideview
SplunkTrust
SplunkTrust

Well count is not a field but you can always make a field.

| eval foo=1 | timechart per_second(foo) as "Bytes per second"

or you could use one of the hidden fields that is always there on events.

| timechart per_second(_cd) as "Bytes per second"

and the double timechart clause that you have really doesnt consume any extra resources by the way. The first timechart will be doing all the work. And it's relatively easy to run little experiments seeing which versions are faster or slower.

All in all, I'd look at:

| timechart count | timechart per_second(count) 

although it is a little weird looking. 😃

View solution in original post

aschutz
New Member

I have implemented the above

mysearch | timechart count | timechart per_second(count)

This gives me the correct result in terms of TPS summarise into .

I also need some assistance to calculate the 95th Percentile summary of the TPS data for a time period like one day, or month. The ultimate metric we need is to know the 95th Percentile TPS (or Request per Second) value in the defined span period to understand the platform capacity.

0 Karma

sideview
SplunkTrust
SplunkTrust

Well count is not a field but you can always make a field.

| eval foo=1 | timechart per_second(foo) as "Bytes per second"

or you could use one of the hidden fields that is always there on events.

| timechart per_second(_cd) as "Bytes per second"

and the double timechart clause that you have really doesnt consume any extra resources by the way. The first timechart will be doing all the work. And it's relatively easy to run little experiments seeing which versions are faster or slower.

All in all, I'd look at:

| timechart count | timechart per_second(count) 

although it is a little weird looking. 😃

mattbrowncitrix
Engager

I signed up just to be able to upvote this question, since it has been so helpful to me!

Simeon
Splunk Employee
Splunk Employee

Sounds like you should be doing:

| timechart span=1s count as requests_per_second

Of course, you will hit a reporting limit with the 1 second span as you get to a certain number of events per time range. If you know that this is the most important count, then you could alternatively summary index every minute to get an average per minute. From there, you can use that value to get the counts per second.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...