Solved: How to calculate transaction per second for my sea...

abzmhzsplunk · ‎02-24-2017

for the search

index=* some_events | stats count

how to calculate the transaction per second for this search (how to get how many seconds for the search job)?
tried to use |addinfo | eval t=info_max_time - info_min_time but couldn't get it to work.
please help.
thanks.

somesoni2 · ‎02-24-2017

Try this

index=* | addinfo | eval t=info_max_time - info_min_time | stats count as ct max(t) as t | eval tps=ct/t |table ct, tps

View solution in original post

somesoni2 · ‎02-24-2017

Try this

index=* | addinfo | eval t=info_max_time - info_min_time | stats count as ct max(t) as t | eval tps=ct/t |table ct, tps

lguinn2 · ‎02-24-2017

addinfo doesn't tell you anything about how long it took your search to run - it gives some access to information about your search, but not that.

An administrator can tell how long a search ran by looking in the _audit index like this

index=_audit action=search user!="splunk-system-user" info=completed
| table user search_id total_run_time exec_time scan_count event_count _time

I used the table just to show an example of the results...

abzmhzsplunk · ‎02-24-2017

How to calculate how many seconds already run in my search? That is what I want.

somesoni2 · ‎02-24-2017

Are you trying to calculate, for your search, number of rows in the base search/time it took to execute; OR just for your events, how many events are coming to your indexes per second (count/time range in secs)?

abzmhzsplunk · ‎02-24-2017

I want to find out total count for the search and the time of the search, then calculate tps="total count" / "time in seconds for the search"

How to calculate transaction per second for my search?

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

Index This | How many sides does a circle have?