Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I calculate the number of Events Per Day so I can then divide by 86400 to get the daily EPS?

Rhidian
Path Finder
‎07-29-2022 08:05 AM

Hi,

I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't really understand the logic as what is the ev field and how is it calculated?

index=_internal sourcetype=splunkd Metrics TERM(group=per_sourcetype_thruput) component=Metrics
| fields ev series _time
| rename ev as events, series as sourcetype
| timechart limit=15 partial=f minspan=30s per_second(events) as EPS by sourcetype
| append [ | tstats dc(source) as Sources, dc(sourcetype) as Sourcetypes, dc(host) as Hosts where index=* by _time | timechart partial=f sum(Sources) as Sources, sum(Sourcetypes) as Sourcetypes, sum(Hosts) as Hosts ]
| timechart partial=f first(*) as * | addtotals
| fields _time Total
| appendpipe [| stats count | where count=0 | eval Total="0"]

 

Labels (3)
Labels
0 Karma
Reply

Rhidian
Path Finder
‎07-29-2022 02:31 PM

Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-01-2022 06:37 AM

To count events use the tstats command.

| tstats count where index=* _index_earliest=-1d@d _index_latest=@d by index

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

maede_yavari
Explorer
‎12-09-2023 05:02 AM

Hello,

is it possible to execute the following command to calculate Event per day in one week?

index=* earliest=-7d
| timechart span=1d count

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-09-2023 05:25 AM

Yes, it's possible, but don't do that.  It tells Splunk to open every bucket with data from the last seven days and read all of the events from that time.  It will be slow and wasteful of resources.  Use tstats, instead.

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 08:36 AM

The per_second function sums the given field then divides the total by the number of seconds in the interval to get the per-second value.

The ev field in Metrics events is the number of events received in the current sampling interval.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Rhidian
Path Finder
‎07-30-2022 12:43 AM

Thanks, is there a way to show the events through the data as when I do a search my results no where near match the number produced by using ev?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-01-2022 06:26 AM

Hi

from documentation which @richgalloway pointed to you, you see this

By default, metrics.log reports the top 10 results for each type. You can change that number of series from the default by editing the value of maxseries in the [metrics] stanza in limits.conf.

So it's not report all events which splunk ingesting/read/send etc. That's the reason why you cannot see/get correct values. All those values what you are getting from metrics.log are just estimates not exact values for all data.

If you need a real EPS you must count e.g. indexed events per time slot using _indextime not _time. Or another option is use some apps or another way to get exact numbers from needed place.

r. Ismo 

0 Karma
Reply

Rhidian
Path Finder
‎08-22-2022 04:52 AM

Thanks, could you please provide such a query?

Tags (1)
0 Karma
Reply

Rhidian
Path Finder
‎07-29-2022 08:47 AM

So the sum of ev is the total number of events for the interval? 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 09:44 AM

Yes, but it's not 100% accurate so the number calculated here may not match your license usage.  See https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Aboutmetricslog and https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Aboutmetricslog#Thruput_messages:....

---
If this reply helps you, Karma would be appreciated.
Reply

Rhidian
Path Finder
‎08-01-2022 01:17 AM

Unfortunately summing ev  suggests I had an EPS of 18396 which is way off the mark. Any other ideas?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-01-2022 06:13 AM

Make sure the numbers being added are from the same interval.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...