I'm creating a dashboard for web surfing activity which shows, among other things, the number of requests per second as well as the amount of bandwidth generated per second by these requests. The user is able to select the timespan in these charts so I don't want to specify a static span
argument to timechart
. The second case with bytes per second is solved by using per_second
:
| timechart per_second(bytes) as "Bytes per second"
However per_second
can't be used to do the same with the event count as it's not a field. If span
was static I could do for instance timechart span=5m eval(count(bytes)/300) as "Requests per second"
but I would like to avoid having to set the span like that. The only other way I've been able to think of is
| timechart count as reqcount | timechart per_second(reqcount) as "Requests per second"
but that seems a bit too resource consuming. Any ideas on other ways of making this work?
Well count
is not a field but you can always make a field.
| eval foo=1 | timechart per_second(foo) as "Bytes per second"
or you could use one of the hidden fields that is always there on events.
| timechart per_second(_cd) as "Bytes per second"
and the double timechart clause that you have really doesnt consume any extra resources by the way. The first timechart will be doing all the work. And it's relatively easy to run little experiments seeing which versions are faster or slower.
All in all, I'd look at:
| timechart count | timechart per_second(count)
although it is a little weird looking. 😃
I have implemented the above
mysearch | timechart count | timechart per_second(count)
This gives me the correct result in terms of TPS summarise into .
I also need some assistance to calculate the 95th Percentile summary of the TPS data for a time period like one day, or month. The ultimate metric we need is to know the 95th Percentile TPS (or Request per Second) value in the defined span period to understand the platform capacity.
Well count
is not a field but you can always make a field.
| eval foo=1 | timechart per_second(foo) as "Bytes per second"
or you could use one of the hidden fields that is always there on events.
| timechart per_second(_cd) as "Bytes per second"
and the double timechart clause that you have really doesnt consume any extra resources by the way. The first timechart will be doing all the work. And it's relatively easy to run little experiments seeing which versions are faster or slower.
All in all, I'd look at:
| timechart count | timechart per_second(count)
although it is a little weird looking. 😃
I signed up just to be able to upvote this question, since it has been so helpful to me!
Sounds like you should be doing:
| timechart span=1s count as requests_per_second
Of course, you will hit a reporting limit with the 1 second span as you get to a certain number of events per time range. If you know that this is the most important count, then you could alternatively summary index every minute to get an average per minute. From there, you can use that value to get the counts per second.