Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate Packets per second (PPS) over 1st Quarter

Adrian
Path Finder
‎04-19-2013 11:37 AM

Trying to calculate the Packets per second (PPS) for sourcetype=traffic during the 1st quarter of 2013. Understand the mathematical formula just having problem formulating the right syntax. Can anyone offer some helpful insight?

Logic:

add total packets for 1st quarter - stats count sum(packet_count) divide by seconds in 90 days - /7776000 result should be PPS

This is my progress so far:

index=test sourcetype="traffic" earliest="1/1/2013:00:00:00" latest="4/1/2013:00:00:00" | eval PPS = stats count sum(packet_count)/7776000

Thank you in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎04-19-2013 11:42 AM 
index=test sourcetype="traffic" earliest=-1q@q latest=@q | stats per_second(packet_count) as PPS

View solution in original post

Reply
Solved! Jump to solution

Adrian
Path Finder
‎04-19-2013 12:12 PM

I think I just answered my own question with a little insight from Ayn:

index=test sourcetype="traffic" earliest="-1q@q" latest="@q" | stats sum(packet_count) as packets | eval PPS = packets/7776000

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎04-19-2013 11:42 AM 
index=test sourcetype="traffic" earliest=-1q@q latest=@q | stats per_second(packet_count) as PPS
Reply
Solved! Jump to solution

Adrian
Path Finder
‎04-19-2013 02:22 PM

Thanks for the help... Timechart seems to be a more elegant solution. I was also able to find an answer using the search below your answer (it worked but it's ugly)

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎04-19-2013 12:17 PM

My apologies, I forgot that the per_second function is valid for timechart only. You could either simply use timechart:

index=test sourcetype="traffic" earliest=-1q@q latest=@q | timechart span=1q per_second(packet_count) as PPS

Or run stats as you originally planned:

index=test sourcetype="traffic" earliest=-1q@q latest=@q | stats eval(sum(packet_count)/7776000) as PPS
0 Karma
Reply
Solved! Jump to solution

Adrian
Path Finder
‎04-19-2013 11:49 AM

Ayn, thanks for the quick response, but I am receiving:

Error in 'stats' command: The argument 'per_second(packet_count)' is invalid.

packet_count is a fieldname with a respective value... The reason which I was trying to sum first. Sorry I left that out of my question.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...