Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count TPS from Datepicker group by field

qmail_madrid
New Member
‎07-13-2023 11:01 AM

So my based search can produce a table stats of  deployment, total hit, and time_seconds, I only need one more field that calculate TPS (total_hit/time_seconds). If it's not grouped by, it can produce the TPS. The challenge how to do it if it's grouped by.

base search
| rex ".*wm-(?<deployment>.*?)-"
| addinfo 
| eval t=info_max_time - info_min_time 
| stats count as hit max(t) as time_seconds by deployment

It resulted in this table. The time_seconds shows 3600 because the date_picker was set to 60 minutes

 

deploymenthittime_seconds
a25063609.000
b302853609.000
c22133609.000

 

Actually I only need to get the tps (calculated by hit/time) table which is:

deploymenttps
a...
b...
c...

 

Any idea to produce this. thanks. 
PS. already browse through the community but failed to find 

Labels (3)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-13-2023 11:35 PM

@qmail_madrid - Try this:

base search
| rex ".*wm-(?<deployment>.*?)-"
| stats count as hit by deployment
| addinfo 
| eval t=info_max_time - info_min_time 
| eval tps=hit/t

 

I hope this helps!! Consider upvoting!!

0 Karma
Reply

qmail_madrid
New Member
‎07-14-2023 02:44 AM

Thanks for your reply. I'd love to upvote it and unfortunately it does not addressed my desired result.

Of course to count tps we can use eval hit/t. But how to present it in pair of deployment and its each tps.

If it's not grouped by deployment, we can easily use this script


base search
| rex ".*wm-(?<deployment>.*?)-"
| addinfo
| eval t=info_max_time - info_min_time
| stats count max(t) as time_seconds
| eval TPS=count/time_seconds
| table TPS

it resulted as (for example)

tps
.....



0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2023 03:15 AM

@qmail_madrid - I may not be understanding you correctly but:

Based on the TPS definition, my query logic seems correct.

Also, addinfo is the same value always so whether you do it after stats or before stats, or you use max() or avg() no difference. Hence performance wise it's suitable to do it after the stats command.

  • addinfo command generates the same output for all the rows, hence the above...

 

And if you apply that query, you will reach the logic I mentioned in my original response.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...