Getting Data In

How can I calculate in real-time the rate of events (eps) being indexed?

Splunk Employee
Splunk Employee

I would like to find out how many events per second my indexer is receiving and indexing.

What search could help me find this out?

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

Run the following search over the time range real-time(all time) and you will be able to see what your incoming event rate looks like :

index=savage_clowns | eval search_time=now() | eval seconds_elapsed=(time() - search_time) | eval secs=if(seconds_elapsed<0,"1",seconds_elapsed) | stats count as ecount, last(secs) AS seconds| stats last(ecount) AS "event count", last(seconds) AS "search seconds elapsed", last(eval(ecount/seconds)) AS eps

This example targets a specific index, but feel free to change the first search terms to better suit your needs.

View solution in original post

Splunk Employee
Splunk Employee

Run the following search over the time range real-time(all time) and you will be able to see what your incoming event rate looks like :

index=savage_clowns | eval search_time=now() | eval seconds_elapsed=(time() - search_time) | eval secs=if(seconds_elapsed<0,"1",seconds_elapsed) | stats count as ecount, last(secs) AS seconds| stats last(ecount) AS "event count", last(seconds) AS "search seconds elapsed", last(eval(ecount/seconds)) AS eps

This example targets a specific index, but feel free to change the first search terms to better suit your needs.

View solution in original post

Path Finder

savage_clowns killed me 😄 nice

0 Karma