Displaying Peak message count per second for 24 ho...

madanashok · ‎10-18-2012

Hi Splunkers,

Can you please help me with query to show stats like this below

Date PeakMsgPersec(01Hr) PeakMsgPersec(02Hr).... PeakMsgPersec(023Hr)

18-oct-2012 3 4 3
17-oct-2012 2 2 4
.
.
.

1-oct-2012 2 3 3

I need to display like this in colourful table format.

kristian_kolb · ‎10-18-2012

Spent too much time getting chart to show all columns....anyway, this is slightly shorter.

sourcetype=your_sourcetype earliest=@mon 
| bucket _time span=1s 
| stats c by _time
| eval day=strftime(_time, "%Y-%m-%d") 
| eval hour=strftime(_time, "%H") 
| chart max(c) over day by hour useother=false limit=24

Not too sure it's more efficient though...

madanashok · ‎10-19-2012

Thankyou very much jonuwz and kristian.Both the queries giving same results.I think, I got what is expected.I need to use summary indexing and let me check.

jonuwz · ‎10-18-2012

This is very expensive if you have a lot of data.

You might want to think about summary indexing every hour if this is going to be a common thing.

* | bin _time span=1s | stats count by _time | bin _time span=1h | stats max(count) as count by _time | eval hour=relative_time(_time,"@h") | eval day=strftime(hour,"%Y-%m-%d") | eval hour=strftime(hour,"%H") | chart limit=0 first(count) as peak over day by hour

Ayn · ‎10-18-2012

I posted an answer, but redacted it because I've no idea how you get the PeakMsgPersec value? Is this something you already have, or do you need to calculate it first? If you want to check each second of a whole month, you're going to run into limits problems with timechart.

Displaying Peak message count per second for 24 hours over a month

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!