topic Re: Calculate the number of Events Per Day in Splunk Search

How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS?

Rhidian — Fri, 29 Jul 2022 15:37:46 GMT

Hi,

I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't really understand the logic as what is the ev field and how is it calculated?

Re: Calculate the number of Events Per Day

richgalloway — Fri, 29 Jul 2022 15:36:32 GMT

The per_second function sums the given field then divides the total by the number of seconds in the interval to get the per-second value.

The ev field in Metrics events is the number of events received in the current sampling interval.

Re: Calculate the number of Events Per Day

Rhidian — Fri, 29 Jul 2022 15:47:57 GMT

So the sum of ev is the total number of events for the interval?

Re: Calculate the number of Events Per Day

richgalloway — Fri, 29 Jul 2022 16:44:44 GMT

Yes, but it's not 100% accurate so the number calculated here may not match your license usage. See https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Aboutmetricslog and https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Aboutmetricslog#Thruput_messages:~:text=The%20per_x_thruput%20categories%20are%20not%20complete.

Re: How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS?

Rhidian — Fri, 29 Jul 2022 21:31:44 GMT

Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?

Re: Calculate the number of Events Per Day

Rhidian — Sat, 30 Jul 2022 07:43:53 GMT

Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?

Re: Calculate the number of Events Per Day

Rhidian — Mon, 01 Aug 2022 08:17:59 GMT

Unfortunately summing ev suggests I had an EPS of 18396 which is way off the mark. Any other ideas?

Re: Calculate the number of Events Per Day

richgalloway — Mon, 01 Aug 2022 13:13:42 GMT

Make sure the numbers being added are from the same interval.

Re: Calculate the number of Events Per Day

isoutamo — Mon, 01 Aug 2022 13:26:29 GMT

from documentation which @richgalloway pointed to you, you see this

By default, metrics.log reports the top 10 results for each type. You can change that number of series from the default by editing the value of maxseries in the [metrics] stanza in limits.conf.

So it's not report all events which splunk ingesting/read/send etc. That's the reason why you cannot see/get correct values. All those values what you are getting from metrics.log are just estimates not exact values for all data.

If you need a real EPS you must count e.g. indexed events per time slot using _indextime not _time. Or another option is use some apps or another way to get exact numbers from needed place.

r. Ismo

Re: How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS?

richgalloway — Mon, 01 Aug 2022 13:37:39 GMT

To count events use the tstats command.

| tstats count where index=* _index_earliest=-1d@d _index_latest=@d by index

Re: Calculate the number of Events Per Day

Rhidian — Mon, 22 Aug 2022 11:52:08 GMT

Thanks, could you please provide such a query?

Re: How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS?

maede_yavari — Sat, 09 Dec 2023 13:04:16 GMT

Hello,

is it possible to execute the following command to calculate Event per day in one week?

index=* earliest=-7d | timechart span=1d count

Re: How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS?

richgalloway — Sat, 09 Dec 2023 13:25:07 GMT

Yes, it's possible, but don't do that. It tells Splunk to open every bucket with data from the last seven days and read all of the events from that time. It will be slow and wasteful of resources. Use tstats, instead.