Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate Packets per second (PPS) over 1st Quarter

Adrian
Path Finder
‎04-19-2013 11:37 AM

Trying to calculate the Packets per second (PPS) for sourcetype=traffic during the 1st quarter of 2013. Understand the mathematical formula just having problem formulating the right syntax. Can anyone offer some helpful insight?

Logic:

add total packets for 1st quarter - stats count sum(packet_count) divide by seconds in 90 days - /7776000 result should be PPS

This is my progress so far:

index=test sourcetype="traffic" earliest="1/1/2013:00:00:00" latest="4/1/2013:00:00:00" | eval PPS = stats count sum(packet_count)/7776000

Thank you in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎04-19-2013 11:42 AM 
index=test sourcetype="traffic" earliest=-1q@q latest=@q | stats per_second(packet_count) as PPS

View solution in original post

Reply
Solved! Jump to solution

Adrian
Path Finder
‎04-19-2013 12:12 PM

I think I just answered my own question with a little insight from Ayn:

index=test sourcetype="traffic" earliest="-1q@q" latest="@q" | stats sum(packet_count) as packets | eval PPS = packets/7776000

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎04-19-2013 11:42 AM 
index=test sourcetype="traffic" earliest=-1q@q latest=@q | stats per_second(packet_count) as PPS
Reply
Solved! Jump to solution

Adrian
Path Finder
‎04-19-2013 02:22 PM

Thanks for the help... Timechart seems to be a more elegant solution. I was also able to find an answer using the search below your answer (it worked but it's ugly)

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎04-19-2013 12:17 PM

My apologies, I forgot that the per_second function is valid for timechart only. You could either simply use timechart:

index=test sourcetype="traffic" earliest=-1q@q latest=@q | timechart span=1q per_second(packet_count) as PPS

Or run stats as you originally planned:

index=test sourcetype="traffic" earliest=-1q@q latest=@q | stats eval(sum(packet_count)/7776000) as PPS
0 Karma
Reply
Solved! Jump to solution

Adrian
Path Finder
‎04-19-2013 11:49 AM

Ayn, thanks for the quick response, but I am receiving:

Error in 'stats' command: The argument 'per_second(packet_count)' is invalid.

packet_count is a fieldname with a respective value... The reason which I was trying to sum first. Sorry I left that out of my question.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...