- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS?
Hi,
I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't really understand the logic as what is the ev field and how is it calculated?
index=_internal sourcetype=splunkd Metrics TERM(group=per_sourcetype_thruput) component=Metrics
| fields ev series _time
| rename ev as events, series as sourcetype
| timechart limit=15 partial=f minspan=30s per_second(events) as EPS by sourcetype
| append [ | tstats dc(source) as Sources, dc(sourcetype) as Sourcetypes, dc(host) as Hosts where index=* by _time | timechart partial=f sum(Sources) as Sources, sum(Sourcetypes) as Sourcetypes, sum(Hosts) as Hosts ]
| timechart partial=f first(*) as * | addtotals
| fields _time Total
| appendpipe [| stats count | where count=0 | eval Total="0"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To count events use the tstats command.
| tstats count where index=* _index_earliest=-1d@d _index_latest=@d by index
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
is it possible to execute the following command to calculate Event per day in one week?
index=* earliest=-7d
| timechart span=1d count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it's possible, but don't do that. It tells Splunk to open every bucket with data from the last seven days and read all of the events from that time. It will be slow and wasteful of resources. Use tstats, instead.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The per_second function sums the given field then divides the total by the number of seconds in the interval to get the per-second value.
The ev field in Metrics events is the number of events received in the current sampling interval.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
from documentation which @richgalloway pointed to you, you see this
By default, metrics.log reports the top 10 results for each type. You can change that number of series from the default by editing the value of maxseries in the [metrics] stanza in limits.conf.So it's not report all events which splunk ingesting/read/send etc. That's the reason why you cannot see/get correct values. All those values what you are getting from metrics.log are just estimates not exact values for all data.
If you need a real EPS you must count e.g. indexed events per time slot using _indextime not _time. Or another option is use some apps or another way to get exact numbers from needed place.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the sum of ev is the total number of events for the interval?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, but it's not 100% accurate so the number calculated here may not match your license usage. See https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Aboutmetricslog and https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Aboutmetricslog#Thruput_messages:....
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately summing ev suggests I had an EPS of 18396 which is way off the mark. Any other ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure the numbers being added are from the same interval.
If this reply helps you, Karma would be appreciated.
