Solved: How can I calculate in real-time the rate of event...

hexx · ‎09-23-2011

I would like to find out how many events per second my indexer is receiving and indexing.

What search could help me find this out?

hexx · ‎09-23-2011

Run the following search over the time range real-time(all time) and you will be able to see what your incoming event rate looks like :

index=savage_clowns | eval search_time=now() | eval seconds_elapsed=(time() - search_time) | eval secs=if(seconds_elapsed<0,"1",seconds_elapsed) | stats count as ecount, last(secs) AS seconds| stats last(ecount) AS "event count", last(seconds) AS "search seconds elapsed", last(eval(ecount/seconds)) AS eps

This example targets a specific index, but feel free to change the first search terms to better suit your needs.

View solution in original post

hexx · ‎09-23-2011

Run the following search over the time range real-time(all time) and you will be able to see what your incoming event rate looks like :

index=savage_clowns | eval search_time=now() | eval seconds_elapsed=(time() - search_time) | eval secs=if(seconds_elapsed<0,"1",seconds_elapsed) | stats count as ecount, last(secs) AS seconds| stats last(ecount) AS "event count", last(seconds) AS "search seconds elapsed", last(eval(ecount/seconds)) AS eps

This example targets a specific index, but feel free to change the first search terms to better suit your needs.

sonny_monti · ‎06-03-2019

savage_clowns killed me 😄 nice

How can I calculate in real-time the rate of events (eps) being indexed?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life