Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query to calculate max TPS over period of time (3 months) everyday

Sishad
Explorer
‎10-13-2024 08:57 AM

Hi Splunk Experts,

Can you please let me know how we can calculate the max and avg TPS for a time period of last 3 months along with the exact time of occurrence.

I came up with below query, but it is showing me error as the count of event is greater than 50000.
Can anyone please help or guide me on how to overcome this issue.

 

index=XXX "attrs"=traffic NOT metas | timechart span=1s count AS TPS | eventstats max(TPS) as MAX_TPS | eval Peak_Time=if(MAX_TPS==TPS,_time,null()) | stats avg(TPS) as AVG_TPS first(MAX_TPS) as MAX_TPS first(Peak_Time) as Peak_Time | fieldformat Peak_Time=strftime(Peak_Time,"%x %X")

 

 

Sishad_0-1728834777754.png

 

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-13-2024 09:40 AM

Well, 1s span for three days is indeed quite a lot of results but I don't see a problem with that.

A run-anywhere example

| makeresults count=3000000
| streamstats count 
| eval _time=_time-count/10
| eval _time=_time+((random()%10-5))
| timechart span=1s count

What version are you using?

EDIT: OK, I read days where you wanted months. Still it's less than 8 million rows. It might be a bit performance-intensive but Splunk should manage provided you have enough memory.

And to limit memory usage, remove the raw event value as early as possible. So

<your initial search> | fields - _raw | timechart ...

 

 

0 Karma
Reply

Sishad
Explorer
‎10-13-2024 10:07 AM

Version is Splunk Cloud 9.1.2312

I am looking for only these values day wise may be in last 7 days.

Sishad_0-1728838762144.png

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-13-2024 11:16 AM

It looks strange but I'm no expert on Cloud. Are you sure it isn't about visualization only?

Anyway, you can probably emulate your relatively simple timechart with either simple

bin | stats by _time

or several passes with streamstats

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...