Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query to calculate max TPS over period of time (3 months) everyday

Sishad
Explorer
‎10-13-2024 08:57 AM

Hi Splunk Experts,

Can you please let me know how we can calculate the max and avg TPS for a time period of last 3 months along with the exact time of occurrence.

I came up with below query, but it is showing me error as the count of event is greater than 50000.
Can anyone please help or guide me on how to overcome this issue.

 

index=XXX "attrs"=traffic NOT metas | timechart span=1s count AS TPS | eventstats max(TPS) as MAX_TPS | eval Peak_Time=if(MAX_TPS==TPS,_time,null()) | stats avg(TPS) as AVG_TPS first(MAX_TPS) as MAX_TPS first(Peak_Time) as Peak_Time | fieldformat Peak_Time=strftime(Peak_Time,"%x %X")

 

 

Sishad_0-1728834777754.png

 

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-13-2024 09:40 AM

Well, 1s span for three days is indeed quite a lot of results but I don't see a problem with that.

A run-anywhere example

| makeresults count=3000000
| streamstats count 
| eval _time=_time-count/10
| eval _time=_time+((random()%10-5))
| timechart span=1s count

What version are you using?

EDIT: OK, I read days where you wanted months. Still it's less than 8 million rows. It might be a bit performance-intensive but Splunk should manage provided you have enough memory.

And to limit memory usage, remove the raw event value as early as possible. So

<your initial search> | fields - _raw | timechart ...

 

 

0 Karma
Reply

Sishad
Explorer
‎10-13-2024 10:07 AM

Version is Splunk Cloud 9.1.2312

I am looking for only these values day wise may be in last 7 days.

Sishad_0-1728838762144.png

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-13-2024 11:16 AM

It looks strange but I'm no expert on Cloud. Are you sure it isn't about visualization only?

Anyway, you can probably emulate your relatively simple timechart with either simple

bin | stats by _time

or several passes with streamstats

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...