Solved: Re: How can I show average, peak, and peak time in...

wierling · ‎11-09-2015

Hi, my first post..I'm trying to display in a search the Average TPS (transactions per second), along with Peak TPS, along with timestamp that peak TPS occurred at in a 1 hour window.
Example:
AvgTPS | PeakTPS | PeakTime
100 | 500 | 11:05:15

I can get the values in separate searches, but can't seem to combine them into a single table result as above.

Here is the search that gets Average and Peak TPS:

index=test | timechart span=1m count(index) AS TPM | eval TPS=TPM/60 | stats avg(TPS) as avgTPS, max(TPS) as peakTPS

Here's the search that gets Peak TPS and Time peak occurred:

index=test | timechart span=1m count(index) AS TPM | eval peakTPS=TPM/60 | table peakTPS _time | sort peakTPS desc | head 1

How can I get the results in a single search?
Thanks,
-Bob

lguinn2 · ‎11-09-2015

Try this!

index=test 
| timechart span=1s count AS TPS
| eventstats max(TPS) as peakTPS
| eval peakTime=if(peakTPS==TPS,_time,null())
| stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime
| fieldformat peakTime=strftime(peakTime,"%x %X")

The eventstats command calculates the peakTPS and then the following eval command determines when that peakTPS occurred.

View solution in original post

lguinn2 · ‎11-09-2015

Try this!

index=test 
| timechart span=1s count AS TPS
| eventstats max(TPS) as peakTPS
| eval peakTime=if(peakTPS==TPS,_time,null())
| stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime
| fieldformat peakTime=strftime(peakTime,"%x %X")

The eventstats command calculates the peakTPS and then the following eval command determines when that peakTPS occurred.

wierling · ‎11-10-2015

That worked! Thanks for quick reply and solution.

How can I show average, peak, and peak time in a single search?

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring