Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

VIEW n events pear second

gbriones
Engager
‎04-14-2021 08:51 AM

I need  to show first 40 events pear seconds in the range 15 minutes.

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-14-2021 09:48 AM 
... | sort _time
| eval seconds=floor(_time)
| streamstats count by seconds
| where count <= 40

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gbriones
Engager
‎04-14-2021 09:45 AM

For example, if 100 events fell in one second, I need to only take the first 40 and continue with the next second

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-14-2021 08:59 AM

Assuming your search is over a 15 minute period, round time to seconds, and count events by second, then only keep the first 40 per second

... | eval seconds=round(_time,0)
| streamstats count by seconds
| where count <= 40
0 Karma
Reply
Solved! Jump to solution

gbriones
Engager
‎04-14-2021 09:11 AM

Thanks for respond but  I see to look more 40 events pear second:

| dedup id | eval seconds=round(_time,0)
| streamstats count by seconds | where count <= 40 | timechart span=1s count

gbriones_0-1618416601195.png

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-14-2021 09:17 AM

Does sorting by time first help?

... | sort _time
| eval seconds=round(_time,0)
| streamstats count by seconds
| where count <= 40
0 Karma
Reply
Solved! Jump to solution

gbriones
Engager
‎04-14-2021 09:30 AM

keeps showing results greater than 40 😞

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-14-2021 09:48 AM 
... | sort _time
| eval seconds=floor(_time)
| streamstats count by seconds
| where count <= 40
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...