I have a saved search:
source=/opt/app/workload/MCRRepo/*/*.csv
| rex "(?.*),(?.*),(?.*),(?.*),(?.*),(?.*)"
| search componentName=ServiceComponent* measurementName=transactionAttempts
| sitimechart span=5m per_second(counterValue)
When I run the normal version of this query over a 24 hour period:
source=/opt/app/workload/MCRRepo/*/*.csv
| rex "(?.*),(?.*),(?.*),(?.*),(?.*),(?.*)"
| search componentName=ServiceComponent* measurementName=transactionAttempts
| timechart span=5m per_second(counterValue)
I get per_second
ranges of up to 7000 TPS
which matches the expected range of my data. But when I run the query against the summary index using the query over a 7 day or longer period:
index=summary search_name="MCR_TPS"
| timechart span=5min per_second(counterValue)
I get per_second
ranges up to 200K
. What am I missing? The TPS
should still range up to 7000 TPS
for each of the 7 days.
What is the timepicker window for the populating search that is dropping events into your summary index?
try this
index=summary search_name="MCR_TPS"
and this
index=summary search_name="MCR_TPS" | sitimechart span=5min per_second(counterValue)