Splunk Search

How to find the request per second by organization?

sangs8788
Communicator

Hi

I have an event which is comprised of OrgName, RequestName and others. How do i find the the average & max request per sec by OrgName using per_second() function ?

I tried doing a timechart of per_sec() by OrgName. But it gives me every second, what is the per_second() with OrgName as the column names. I want to calculate average & max request per sec by OrgName ?

Could you please let me know how to achieve this.

0 Karma
1 Solution

MathiasLindblom
Path Finder

Hi,

Maybe this query can Point you in the right direction! It's not using the per_second from timechart, but should hopefully get the output you are looking for:

    <SEARCH>
        | bin _time span=1d
        | streamstats count as Req by OrgName
        | eval requestsPerMin=Req/24/60
        | eval requestsPerSec=requestsPerMin/60
        | stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

If you want to see see the result/day, add the _time to to streamstats and stats to split it per day:

<SEARCH>
| bin _time span=1d
| streamstats count as Req by OrgName, _time
| eval requestsPerMin=Req/24/60
| eval requestsPerSec=requestsPerMin/60
| stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName, _time

View solution in original post

0 Karma

MathiasLindblom
Path Finder

Hi,

Maybe this query can Point you in the right direction! It's not using the per_second from timechart, but should hopefully get the output you are looking for:

    <SEARCH>
        | bin _time span=1d
        | streamstats count as Req by OrgName
        | eval requestsPerMin=Req/24/60
        | eval requestsPerSec=requestsPerMin/60
        | stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

If you want to see see the result/day, add the _time to to streamstats and stats to split it per day:

<SEARCH>
| bin _time span=1d
| streamstats count as Req by OrgName, _time
| eval requestsPerMin=Req/24/60
| eval requestsPerSec=requestsPerMin/60
| stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName, _time
0 Karma

sangs8788
Communicator

Thanks ! This would work for me.

0 Karma

sangs8788
Communicator

@MathiasLindblom Sorry if i am being silly. I am bit confused here. What is the bin _time span=1d means here ? suppose i want to find the avg request per min for a week/month should i update the bin _time span =1w or bin _time span =30d

    index=data earliest=@w latest=now | bin _time span=1w
     | streamstats count as Req by OrgName, _time
     | eval requestsPerMin=Req/24/60
     | eval requestsPerSec=requestsPerMin/60
     | stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName
0 Karma

MathiasLindblom
Path Finder

Hi @sangs8788 , sorry for the late reply!
No worries, the bin command is just to split up the events per day so I get the correct results for requestsPerMin/Sec. As I look at it again now, this search won't be 100% correct sense the current hour/day/week/month won't be showing the correct results if it haven't ended (consider using latest=@h to ignore the latest - not ended hour).

If you want the avg of this week I would suggest you use a search like the first one I posted above like this:

index=data earliest=@w latest=d@h
| bin _time span=1h
| streamstats count as Req by OrgName
| eval requestsPerMin=Req/60
| eval requestsPerSec=requestsPerMin/60
| stats avg(requestsPerSec) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

This will give you the avg and max of the current week.
Good luck!

0 Karma

sangs8788
Communicator

could someone help me out on this

Below is the query which i was discussing earlier

|eval requestcount=1 | timechart per_second(requestcount) as RequestPerSec per_minute(requestcount) AS RequestPerMin by OrgName
 | timechart span=1d avg(RequestPerSec) as avgRequestPerSec max(RequestPerSec) as peakRequestPerSec 

The above query doesnt work since the OrgName becomes the actual organization field names.
Could you please let me know how to compute avg & max per OrgName

0 Karma

MathiasLindblom
Path Finder

Hi,

Is there a special reason to why you need to use the per_second() function? Looking at the query you didn't get working it looks like you want avg and peak usage for each orgName/day? With a table like this:

OrgName1 | AvgReqPerSec | PeakReqPerSec
OrgName2 | AvgReqPerSec | PeakReqPerSec

0 Karma

sangs8788
Communicator

i am trying to see what is the throughput our application is providing for eacch organisation/by any other criteria like host server something like that. Thats the exact format i am also looking for

0 Karma

inventsekar
Ultra Champion

The above query doesnt work since the OrgName becomes the actual organization field names. ///
bit confused here.. not sure how OrgName becomes the actual organization field names?!?!?
do you already have a field called OrgName in the events itself ah?!?!

0 Karma

sangs8788
Communicator

yes. Thats the problem

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...