Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculating Source type info indexing rate and EPS

Splunk_rocks
Path Finder
‎03-19-2018 06:30 AM

Hello Splunkers,

I would like to calculate below EPS values for 30 days time period for each source type on one combined search and i have individual searches but just want to see if i can get some thing here.

Average Event Size EPS (KBPS)
Max EPS (KBPS)
Average EPS (KB)
General EPS (KB)

Tags (2)
0 Karma
Reply

damiensurat
Contributor
‎03-19-2018 07:19 AM

If you're running the latest version, some of that info is on the Index Activity dashboard, and you can use that search as a start.

Change out the calc for measuring max, min, avg, etc
EG:
timechart avg(kbps) by series
timechart max(kbps) by series

kbps by sourcetype: index="_internal" source=*metrics.log group="per_sourcetype_thruput" | timechart avg(kbps) by series

eps by sourcetype: index="_internal" source=*metrics.log group="per_sourcetype_thruput" | timechart avg(eps) by series

If you wanted host or source, use group="per_source_thruput" or group="per_host_thruput" instead.

ah, one more suggestion... If you don't want to chart the results in a timeseries, you can swap out the timechart command with the stats command which may be a better fit for the solution you are looking for:

EG:
index="_internal" source=*metrics.log group="per_sourcetype_thruput" | stats avg(eps) by series

0 Karma
Reply

Splunk_rocks
Path Finder
‎03-19-2018 08:27 AM

Thanks but i dont have access to DMC so that is why im looking for individual searches .

0 Karma
Reply

Splunk_rocks
Path Finder
‎03-19-2018 08:46 AM

I just need calculate index=* sourcetype=* not from internal index

0 Karma
Reply

damiensurat
Contributor
‎03-19-2018 09:26 AM

Use tstats and specify the variables:

• index=main
• earliest=-30d
• groupby (_time, sourcetype)
• span=1s

| tstats count as COUNT where index=main earliest=-30d by _time,sourcetype span=1s | timechart span=1h max(COUNT) as eps by sourcetype useother=f

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...