Splunk Search

How to show events per second in timechart regardless of span?

Ayn
Legend

I'm creating a dashboard for web surfing activity which shows, among other things, the number of requests per second as well as the amount of bandwidth generated per second by these requests. The user is able to select the timespan in these charts so I don't want to specify a static span argument to timechart. The second case with bytes per second is solved by using per_second:

| timechart per_second(bytes) as "Bytes per second"

However per_second can't be used to do the same with the event count as it's not a field. If span was static I could do for instance timechart span=5m eval(count(bytes)/300) as "Requests per second" but I would like to avoid having to set the span like that. The only other way I've been able to think of is

| timechart count as reqcount | timechart per_second(reqcount) as "Requests per second"

but that seems a bit too resource consuming. Any ideas on other ways of making this work?

Tags (3)
1 Solution

sideview
SplunkTrust
SplunkTrust

Well count is not a field but you can always make a field.

| eval foo=1 | timechart per_second(foo) as "Bytes per second"

or you could use one of the hidden fields that is always there on events.

| timechart per_second(_cd) as "Bytes per second"

and the double timechart clause that you have really doesnt consume any extra resources by the way. The first timechart will be doing all the work. And it's relatively easy to run little experiments seeing which versions are faster or slower.

All in all, I'd look at:

| timechart count | timechart per_second(count) 

although it is a little weird looking. 😃

View solution in original post

aschutz
New Member

I have implemented the above

mysearch | timechart count | timechart per_second(count)

This gives me the correct result in terms of TPS summarise into .

I also need some assistance to calculate the 95th Percentile summary of the TPS data for a time period like one day, or month. The ultimate metric we need is to know the 95th Percentile TPS (or Request per Second) value in the defined span period to understand the platform capacity.

0 Karma

sideview
SplunkTrust
SplunkTrust

Well count is not a field but you can always make a field.

| eval foo=1 | timechart per_second(foo) as "Bytes per second"

or you could use one of the hidden fields that is always there on events.

| timechart per_second(_cd) as "Bytes per second"

and the double timechart clause that you have really doesnt consume any extra resources by the way. The first timechart will be doing all the work. And it's relatively easy to run little experiments seeing which versions are faster or slower.

All in all, I'd look at:

| timechart count | timechart per_second(count) 

although it is a little weird looking. 😃

mattbrowncitrix
Engager

I signed up just to be able to upvote this question, since it has been so helpful to me!

Simeon
Splunk Employee
Splunk Employee

Sounds like you should be doing:

| timechart span=1s count as requests_per_second

Of course, you will hit a reporting limit with the 1 second span as you get to a certain number of events per time range. If you know that this is the most important count, then you could alternatively summary index every minute to get an average per minute. From there, you can use that value to get the counts per second.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...