Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Count TPS from Datepicker group by field

qmail_madrid
New Member
‎07-13-2023 11:01 AM

So my based search can produce a table stats of  deployment, total hit, and time_seconds, I only need one more field that calculate TPS (total_hit/time_seconds). If it's not grouped by, it can produce the TPS. The challenge how to do it if it's grouped by.

base search
| rex ".*wm-(?<deployment>.*?)-"
| addinfo 
| eval t=info_max_time - info_min_time 
| stats count as hit max(t) as time_seconds by deployment

It resulted in this table. The time_seconds shows 3600 because the date_picker was set to 60 minutes

 

deploymenthittime_seconds
a25063609.000
b302853609.000
c22133609.000

 

Actually I only need to get the tps (calculated by hit/time) table which is:

deploymenttps
a...
b...
c...

 

Any idea to produce this. thanks. 
PS. already browse through the community but failed to find 

Labels (3)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-13-2023 11:35 PM

@qmail_madrid - Try this:

base search
| rex ".*wm-(?<deployment>.*?)-"
| stats count as hit by deployment
| addinfo 
| eval t=info_max_time - info_min_time 
| eval tps=hit/t

 

I hope this helps!! Consider upvoting!!

0 Karma
Reply

qmail_madrid
New Member
‎07-14-2023 02:44 AM

Thanks for your reply. I'd love to upvote it and unfortunately it does not addressed my desired result.

Of course to count tps we can use eval hit/t. But how to present it in pair of deployment and its each tps.

If it's not grouped by deployment, we can easily use this script


base search
| rex ".*wm-(?<deployment>.*?)-"
| addinfo
| eval t=info_max_time - info_min_time
| stats count max(t) as time_seconds
| eval TPS=count/time_seconds
| table TPS

it resulted as (for example)

tps
.....



0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2023 03:15 AM

@qmail_madrid - I may not be understanding you correctly but:

Based on the TPS definition, my query logic seems correct.

Also, addinfo is the same value always so whether you do it after stats or before stats, or you use max() or avg() no difference. Hence performance wise it's suitable to do it after the stats command.

  • addinfo command generates the same output for all the rows, hence the above...

 

And if you apply that query, you will reach the logic I mentioned in my original response.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...