Hi All,
I am trying to gather transaction per second on my 4 servers for each day over a week.
I would like to sample every hour, but display the max value for that day.
However, the result I get is just the max value applied to each day.
When I table the values individually, I get the correct (ie different values), so I can see the total transaction for the hour. It's just when I introduce eventstats
where I then get then same value entered for each hour.
index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | eventstats max(TPS_rad1) AS TPS_RAD1| eventstats max(TPS_rad2) AS TPS_RAD2 | eventstats max(TPS_rad3) AS TPS_RAD3| eventstats max(TPS_rad4) AS TPS_RAD4 |rename _time AS DATE| eval DATE=strftime(DATE, "%a %b %e") | table DATE TPS_RAD1,TPS_RAD2, TPS_RAD3, TPS_RAD4
DATE TPS_RAD1 TPS_RAD2 TPS_RAD3 TPS_RAD4
Sun Apr 24 175.821238 84.812951 183.823877 24.492315
Sat Apr 23 175.821238 84.812951 183.823877 24.492315
Fri Apr 22 175.821238 84.812951 183.823877 24.492315
Thu Apr 21 175.821238 84.812951 183.823877 24.492315
Wed Apr 20 175.821238 84.812951 183.823877 24.492315
Tue Apr 19 175.821238 84.812951 183.823877 24.492315
Mon Apr 18 175.821238 84.812951 183.823877 24.49231
thanks
You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.
index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*
You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.
index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*
thanks somesoni2,
this worked a treat!