Using per_second with summary index not working

techols · ‎04-01-2017

I have a saved search:

source=/opt/app/workload/MCRRepo/*/*.csv
| rex "(?.*),(?.*),(?.*),(?.*),(?.*),(?.*)"
| search componentName=ServiceComponent* measurementName=transactionAttempts
| sitimechart span=5m per_second(counterValue)

When I run the normal version of this query over a 24 hour period:

source=/opt/app/workload/MCRRepo/*/*.csv
| rex "(?.*),(?.*),(?.*),(?.*),(?.*),(?.*)"
| search componentName=ServiceComponent* measurementName=transactionAttempts
| timechart span=5m per_second(counterValue)

I get per_second ranges of up to 7000 TPS which matches the expected range of my data. But when I run the query against the summary index using the query over a 7 day or longer period:

index=summary search_name="MCR_TPS" 
| timechart span=5min per_second(counterValue)

I get per_second ranges up to 200K. What am I missing? The TPS should still range up to 7000 TPS for each of the 7 days.

woodcock · ‎09-10-2017

What is the timepicker window for the populating search that is dropping events into your summary index?

DalJeanis · ‎04-03-2017

try this

index=summary search_name="MCR_TPS"

and this

index=summary search_name="MCR_TPS" | sitimechart span=5min per_second(counterValue)

Using per_second with summary index not working

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!