Splunk Search

How to calculate transaction per second for my search?

abzmhzsplunk
New Member

for the search

index=* some_events | stats count

how to calculate the transaction per second for this search (how to get how many seconds for the search job)?
tried to use |addinfo | eval t=info_max_time - info_min_time but couldn't get it to work.
please help.
thanks.

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

index=* | addinfo | eval t=info_max_time - info_min_time | stats count as ct max(t) as t | eval tps=ct/t |table ct, tps

View solution in original post

somesoni2
Revered Legend

Try this

index=* | addinfo | eval t=info_max_time - info_min_time | stats count as ct max(t) as t | eval tps=ct/t |table ct, tps

lguinn2
Legend

addinfo doesn't tell you anything about how long it took your search to run - it gives some access to information about your search, but not that.

An administrator can tell how long a search ran by looking in the _audit index like this

index=_audit action=search user!="splunk-system-user" info=completed
| table user search_id total_run_time exec_time scan_count event_count _time

I used the table just to show an example of the results...

0 Karma

abzmhzsplunk
New Member

How to calculate how many seconds already run in my search? That is what I want.

0 Karma

somesoni2
Revered Legend

Are you trying to calculate, for your search, number of rows in the base search/time it took to execute; OR just for your events, how many events are coming to your indexes per second (count/time range in secs)?

0 Karma

abzmhzsplunk
New Member

Here is what I tried
index=* | addinfo | eval t=info_max_time - info_min_time | stats count as ct | eval tps=ct/t |table ct, tps

I want to find out total count for the search and the time of the search, then calculate tps="total count" / "time in seconds for the search"

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...