Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Count TPS from Datepicker group by field

qmail_madrid
New Member
‎07-13-2023 11:01 AM

So my based search can produce a table stats of  deployment, total hit, and time_seconds, I only need one more field that calculate TPS (total_hit/time_seconds). If it's not grouped by, it can produce the TPS. The challenge how to do it if it's grouped by.

base search
| rex ".*wm-(?<deployment>.*?)-"
| addinfo 
| eval t=info_max_time - info_min_time 
| stats count as hit max(t) as time_seconds by deployment

It resulted in this table. The time_seconds shows 3600 because the date_picker was set to 60 minutes

 

deploymenthittime_seconds
a25063609.000
b302853609.000
c22133609.000

 

Actually I only need to get the tps (calculated by hit/time) table which is:

deploymenttps
a...
b...
c...

 

Any idea to produce this. thanks. 
PS. already browse through the community but failed to find 

Labels (3)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-13-2023 11:35 PM

@qmail_madrid - Try this:

base search
| rex ".*wm-(?<deployment>.*?)-"
| stats count as hit by deployment
| addinfo 
| eval t=info_max_time - info_min_time 
| eval tps=hit/t

 

I hope this helps!! Consider upvoting!!

0 Karma
Reply

qmail_madrid
New Member
‎07-14-2023 02:44 AM

Thanks for your reply. I'd love to upvote it and unfortunately it does not addressed my desired result.

Of course to count tps we can use eval hit/t. But how to present it in pair of deployment and its each tps.

If it's not grouped by deployment, we can easily use this script


base search
| rex ".*wm-(?<deployment>.*?)-"
| addinfo
| eval t=info_max_time - info_min_time
| stats count max(t) as time_seconds
| eval TPS=count/time_seconds
| table TPS

it resulted as (for example)

tps
.....



0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2023 03:15 AM

@qmail_madrid - I may not be understanding you correctly but:

Based on the TPS definition, my query logic seems correct.

Also, addinfo is the same value always so whether you do it after stats or before stats, or you use max() or avg() no difference. Hence performance wise it's suitable to do it after the stats command.

  • addinfo command generates the same output for all the rows, hence the above...

 

And if you apply that query, you will reach the logic I mentioned in my original response.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...