Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

tstats command consumes a lot of IO and runs for 20 minutes

jarush
Explorer
‎04-14-2020 08:13 AM

I'm running this query to get average event counts per day by index. When I run this, each site does an aggregate 2.5GB/s of IO each for 15 - 30 minutes to satisfy the query. Our understanding is that this is just metadata, so this is fairly surprising. Does anyone know why this is and have a better way to write this query?

| tstats count where (index=* OR index=_*) AND earliest=-w@w+1d latest=-w@w+6d  by index
| eval eventCountPerDay=count/5 
| table index, eventCountPerDay
Labels (1)
Labels
0 Karma
Reply

jarush
Explorer
‎05-24-2020 06:52 AM

Does anyone have any thoughts on this one? or any other way to get avg # of events per day by index?

0 Karma
Reply

to4kawa
Ultra Champion
‎04-14-2020 02:12 PM 
|metadata type=hosts index=A
| stats sum(totalcount) as total 
| eval index="A"
| append [     |metadata type=hosts index=B
| stats sum(totalcount) as total 
| eval index="B"]
| append [ ....
| eval day=strptime(relative_time(now(),"-1d"), "%F")
| outputlookup append=t dailyresult.csv

make report daily and search weekly.

0 Karma
Reply

DalJeanis
Legend
‎04-14-2020 11:26 AM

Okay, that sounds odd. Also, The earliest/latest in that position looks odd to me. The system may actually be calculating an earliest/latest field for each event or something weird like that.

First, take the earliest/latest out of your search, and use the time picker to set the beginning and ending for the search period.

Run the query. If it takes the same amount of time, then that may be how long it takes given your hardware and data. (It should not be)

You may also try this alternate and see what happens: 

 | tstats count as daycount where (index=* OR index=_*)  by index span=1d
 | stats avg(daycount) as eventCountPerDay by index
0 Karma
Reply

jarush
Explorer
‎04-14-2020 11:55 AM

It seemed to run faster when specifying via the date picker, but it also did more IO (we got up to 10GB/s....). I tried your query and that tosses out an error: Error in TsidxStats: span argument is only supported for _time.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-14-2020 01:56 PM 
 | tstats count as daycount where (index=* OR index=_*)  by index _time span=1d
  | stats avg(daycount) as eventCountPerDay by index

There is a typo.

0 Karma
Reply

jarush
Explorer
‎04-14-2020 02:34 PM

this has the same impact on the environment.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...