Solved: How to calculate peak rate of certain transactions...

bowesmana · ‎02-07-2016

I have a log that records a transaction name, channel, and timing information, and need to calculate the maximum rate/minute for each transaction. Something along the lines of

index=web_load sourcetype=instrument 
| eval Transaction=i_tx.":".i_chn
| bucket _time span=1m 
| top 1 _time showperc=false by Transaction

but I also want to show the corresponding min, average, max, perc95 elapsed time for that associated minute from the i_elapsed field, something like I can get from

index=web_load sourcetype=instrument 
| eval Transaction=i_tx.":".i_chn
| stats count as Count, min(i_elapsed) as Min, avg(i_elapsed) as Avg, max(i_elapsed) as Max, perc95(i_elapsed) as 95th by Transaction

How can I get the min/max/avg/perc95 numbers into the table or the rate into the stats table?

somesoni2 · ‎02-08-2016

Try something like this

index=web_load sourcetype=instrument 
 | eval Transaction=i_tx.":".i_chn
 | bucket _time span=1m 
 | stats count as Count, min(i_elapsed) as Min, avg(i_elapsed) as Avg, max(i_elapsed) as Max, perc95(i_elapsed) as 95th by _time Transaction
 | eventstats max(Count) as max by Transaction | where max=Count | fields - max

View solution in original post

somesoni2 · ‎02-08-2016

Try something like this

index=web_load sourcetype=instrument 
 | eval Transaction=i_tx.":".i_chn
 | bucket _time span=1m 
 | stats count as Count, min(i_elapsed) as Min, avg(i_elapsed) as Avg, max(i_elapsed) as Max, perc95(i_elapsed) as 95th by _time Transaction
 | eventstats max(Count) as max by Transaction | where max=Count | fields - max

bowesmana · ‎02-08-2016

That's great, there where clause does it. I added an extra bit to handle duplicates where max=Count, so as to take the min(min), max(max) etc of the duplicates before removing the dups.

index=web_load sourcetype=instrument
| eval Transaction=i_tx.":".i_chn
| bucket _time span=1m
| stats count as Count, min(i_elapsed) as Min, avg(i_elapsed) as Avg, max(i_elapsed) as Max, perc95(i_elapsed) as 95th by i_tx, Transaction, _time
| eventstats max(Count) as Peak by Transaction
| where Count=Peak 
| eventstats min(Min) as Minimum, avg(Avg) as Average, max(Max) as Maximum, max(95th) as P95 by Transaction
| fields - Count, Min, Avg, Max, 95th
| dedup Transaction, Peak

jplumsdaine22 · ‎02-08-2016

Have you considered using timechart? EG:

index=web_load sourcetype=instrument | eval Transaction=i_tx.":".i_chn | timechart span=1m count as tx_per_minute, min(i_elapsed) as Min, avg(i_elapsed) as Avg, max(i_elapsed) as Max, perc95(i_elapsed) as 95th by Transaction

bowesmana · ‎02-08-2016

Yes, I have, but I can have up to 500 different Transaction/channel combinations during a 75 minute test run. That will give me 5 values for each of those 500 transactions for each of 75 minutes in the test (187,500 counters) . I am just after those 5 values for each of the peak rates achieved, so I would need 500 lines with peak rate/min and min, avg, max, p95 for the minute where that peak was reached, i.e. 2,500 in total.

My test is divided into sections, where each 'source' will indicate the test phase and different transactions occur during each phase.

How to calculate peak rate of certain transactions as well as avg/min/max

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!