- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Calculate Packets per second (PPS) over 1st Qu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to calculate the Packets per second (PPS) for sourcetype=traffic during the 1st quarter of 2013. Understand the mathematical formula just having problem formulating the right syntax. Can anyone offer some helpful insight?
Logic:
add total packets for 1st quarter - stats count sum(packet_count) divide by seconds in 90 days - /7776000 result should be PPS
This is my progress so far:
index=test sourcetype="traffic" earliest="1/1/2013:00:00:00" latest="4/1/2013:00:00:00" | eval PPS = stats count sum(packet_count)/7776000
Thank you in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=test sourcetype="traffic" earliest=-1q@q latest=@q | stats per_second(packet_count) as PPS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I just answered my own question with a little insight from Ayn:
index=test sourcetype="traffic" earliest="-1q@q" latest="@q" | stats sum(packet_count) as packets | eval PPS = packets/7776000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=test sourcetype="traffic" earliest=-1q@q latest=@q | stats per_second(packet_count) as PPS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help... Timechart seems to be a more elegant solution. I was also able to find an answer using the search below your answer (it worked but it's ugly)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My apologies, I forgot that the per_second function is valid for timechart only. You could either simply use timechart:
index=test sourcetype="traffic" earliest=-1q@q latest=@q | timechart span=1q per_second(packet_count) as PPS
Or run stats as you originally planned:
index=test sourcetype="traffic" earliest=-1q@q latest=@q | stats eval(sum(packet_count)/7776000) as PPS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn, thanks for the quick response, but I am receiving:
Error in 'stats' command: The argument 'per_second(packet_count)' is invalid.
packet_count is a fieldname with a respective value... The reason which I was trying to sum first. Sorry I left that out of my question.
Infographic provides the TL;DR for the 2023 Splunk Career Impact Report
Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...
Enterprise Security Content Update (ESCU) | New Releases
