Solved: How to efficiently calculate max events per second...

the_wolverine · ‎03-17-2015

I could count against the raw data but it takes a long time. How can I more efficiently count on such stats?

the_wolverine · ‎03-17-2015

Use tstats and specify the variables:

index=main
earliest=-30d
groupby (_time, sourcetype)
span=1s

| tstats count as COUNT where index=main earliest=-30d by _time,sourcetype span=1s | timechart span=1h max(COUNT) as eps by sourcetype

the_wolverine · ‎03-17-2015

Use tstats and specify the variables:

index=main
earliest=-30d
groupby (_time, sourcetype)
span=1s

| tstats count as COUNT where index=main earliest=-30d by _time,sourcetype span=1s | timechart span=1h max(COUNT) as eps by sourcetype

awurster · ‎05-09-2016

might suggest a reformat (note in my search i do index=*😞

| tstats count as COUNT where index=* earliest=-30d by _time, sourcetype span=1s
  | timechart span=1h max(COUNT) as eps by sourcetype

thambisetty · ‎04-04-2021

FYI -
earliest=-30d and span=1s will produce 1 day = 86400 seconds * 30 days = 2,592,000

tstats will limit results to 50,000 hence the output of the search will truncate results.

————————————
If this helps, give a like below.

How to efficiently calculate max events per second (eps) by hour over long timeranges, like 30 days?