Splunk Search

Calculating Source type info indexing rate and EPS

Splunk_rocks
Path Finder

Hello Splunkers,

I would like to calculate below EPS values for 30 days time period for each source type on one combined search and i have individual searches but just want to see if i can get some thing here.

Average Event Size EPS (KBPS)
Max EPS (KBPS)
Average EPS (KB)
General EPS (KB)

Tags (2)
0 Karma

damiensurat
Contributor

If you're running the latest version, some of that info is on the Index Activity dashboard, and you can use that search as a start.

Change out the calc for measuring max, min, avg, etc
EG:
timechart avg(kbps) by series
timechart max(kbps) by series

kbps by sourcetype: index="_internal" source=*metrics.log group="per_sourcetype_thruput" | timechart avg(kbps) by series

eps by sourcetype: index="_internal" source=*metrics.log group="per_sourcetype_thruput" | timechart avg(eps) by series

If you wanted host or source, use group="per_source_thruput" or group="per_host_thruput" instead.

ah, one more suggestion... If you don't want to chart the results in a timeseries, you can swap out the timechart command with the stats command which may be a better fit for the solution you are looking for:

EG:
index="_internal" source=*metrics.log group="per_sourcetype_thruput" | stats avg(eps) by series

0 Karma

Splunk_rocks
Path Finder

Thanks but i dont have access to DMC so that is why im looking for individual searches .

0 Karma

Splunk_rocks
Path Finder

I just need calculate index=* sourcetype=* not from internal index

0 Karma

damiensurat
Contributor

Use tstats and specify the variables:

• index=main
• earliest=-30d
• groupby (_time, sourcetype)
• span=1s

| tstats count as COUNT where index=main earliest=-30d by _time,sourcetype span=1s | timechart span=1h max(COUNT) as eps by sourcetype useother=f

0 Karma
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...