topic Re: How can I show average, peak, and peak time in a single search? in Splunk Search

How can I show average, peak, and peak time in a single search?

wierling — Mon, 09 Nov 2015 20:20:38 GMT

Hi, my first post..I'm trying to display in a search the Average TPS (transactions per second), along with Peak TPS, along with timestamp that peak TPS occurred at in a 1 hour window.
Example:
AvgTPS | PeakTPS | PeakTime
100 | 500 | 11:05:15

I can get the values in separate searches, but can't seem to combine them into a single table result as above.

Here is the search that gets Average and Peak TPS:

index=test | timechart span=1m count(index) AS TPM | eval TPS=TPM/60 | stats avg(TPS) as avgTPS, max(TPS) as peakTPS

Here's the search that gets Peak TPS and Time peak occurred:

index=test | timechart span=1m count(index) AS TPM | eval peakTPS=TPM/60 | table peakTPS _time | sort peakTPS desc | head 1

How can I get the results in a single search?
Thanks,
-Bob

Re: How can I show average, peak, and peak time in a single search?

lguinn2 — Mon, 09 Nov 2015 21:39:50 GMT

Try this!

index=test 
| timechart span=1s count AS TPS
| eventstats max(TPS) as peakTPS
| eval peakTime=if(peakTPS==TPS,_time,null())
| stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime
| fieldformat peakTime=strftime(peakTime,"%x %X")

The eventstats command calculates the peakTPS and then the following eval command determines when that peakTPS occurred.

Re: How can I show average, peak, and peak time in a single search?

wierling — Tue, 10 Nov 2015 13:52:13 GMT

That worked! Thanks for quick reply and solution.