You could go into Splunk's own metrics like this:
index=_internal component=metrics TERM(group=thruput) | timechart per_second(ev) by splunk_server
index=_internal component=metrics TERM(group=thruput) | timechart avg(instantaneous_eps) by splunk_server
The two use slightly different fields, and would produce vastly different results if your server isn't on all day.
Alternatively, you could also go into the actual data like this:
| tstats count where index=* OR index=_* by _time splunk_server | timechart per_second(count) by splunk_server
All three should output events per second, no hidden kilos. 150000 events per second on a single indexer would be quite a lot for an average.
thanks for the help.
I've used the alternative comand that you have offered and I got this data -
DATE INDEXER-1 INDEXER-2 SEARCHER INDEXER-3
2015-01-18 147.609884 19.576667 3.075718 26.912824
does it mean that I have 147+19+27 EPS ?
or is it in Kilo values ?