Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to find the request per second by organization?

sangs8788
Communicator
‎08-24-2018 01:52 AM

Hi

I have an event which is comprised of OrgName, RequestName and others. How do i find the the average & max request per sec by OrgName using per_second() function ?

I tried doing a timechart of per_sec() by OrgName. But it gives me every second, what is the per_second() with OrgName as the column names. I want to calculate average & max request per sec by OrgName ?

Could you please let me know how to achieve this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MathiasLindblom
Path Finder
‎08-24-2018 05:14 AM

Hi,

Maybe this query can Point you in the right direction! It's not using the per_second from timechart, but should hopefully get the output you are looking for:

    <SEARCH>
        | bin _time span=1d
        | streamstats count as Req by OrgName
        | eval requestsPerMin=Req/24/60
        | eval requestsPerSec=requestsPerMin/60
        | stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

If you want to see see the result/day, add the _time to to streamstats and stats to split it per day:

<SEARCH>
| bin _time span=1d
| streamstats count as Req by OrgName, _time
| eval requestsPerMin=Req/24/60
| eval requestsPerSec=requestsPerMin/60
| stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName, _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MathiasLindblom
Path Finder
‎08-24-2018 05:14 AM

Hi,

Maybe this query can Point you in the right direction! It's not using the per_second from timechart, but should hopefully get the output you are looking for:

    <SEARCH>
        | bin _time span=1d
        | streamstats count as Req by OrgName
        | eval requestsPerMin=Req/24/60
        | eval requestsPerSec=requestsPerMin/60
        | stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

If you want to see see the result/day, add the _time to to streamstats and stats to split it per day:

<SEARCH>
| bin _time span=1d
| streamstats count as Req by OrgName, _time
| eval requestsPerMin=Req/24/60
| eval requestsPerSec=requestsPerMin/60
| stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName, _time
0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎08-25-2018 06:04 AM

Thanks ! This would work for me.

0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎08-25-2018 06:34 AM

@MathiasLindblom Sorry if i am being silly. I am bit confused here. What is the bin _time span=1d means here ? suppose i want to find the avg request per min for a week/month should i update the bin _time span =1w or bin _time span =30d

    index=data earliest=@w latest=now | bin _time span=1w
     | streamstats count as Req by OrgName, _time
     | eval requestsPerMin=Req/24/60
     | eval requestsPerSec=requestsPerMin/60
     | stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName
0 Karma
Reply
Solved! Jump to solution

MathiasLindblom
Path Finder
‎08-30-2018 12:26 AM

Hi @sangs8788 , sorry for the late reply!
No worries, the bin command is just to split up the events per day so I get the correct results for requestsPerMin/Sec. As I look at it again now, this search won't be 100% correct sense the current hour/day/week/month won't be showing the correct results if it haven't ended (consider using latest=@h to ignore the latest - not ended hour).

If you want the avg of this week I would suggest you use a search like the first one I posted above like this:

index=data earliest=@w latest=d@h
| bin _time span=1h
| streamstats count as Req by OrgName
| eval requestsPerMin=Req/60
| eval requestsPerSec=requestsPerMin/60
| stats avg(requestsPerSec) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

This will give you the avg and max of the current week.
Good luck!

0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎08-24-2018 03:34 AM

could someone help me out on this

Below is the query which i was discussing earlier

|eval requestcount=1 | timechart per_second(requestcount) as RequestPerSec per_minute(requestcount) AS RequestPerMin by OrgName
 | timechart span=1d avg(RequestPerSec) as avgRequestPerSec max(RequestPerSec) as peakRequestPerSec

The above query doesnt work since the OrgName becomes the actual organization field names.
Could you please let me know how to compute avg & max per OrgName

0 Karma
Reply
Solved! Jump to solution

MathiasLindblom
Path Finder
‎08-24-2018 04:32 AM

Hi,

Is there a special reason to why you need to use the per_second() function? Looking at the query you didn't get working it looks like you want avg and peak usage for each orgName/day? With a table like this:

OrgName1 | AvgReqPerSec | PeakReqPerSec
OrgName2 | AvgReqPerSec | PeakReqPerSec

0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎08-24-2018 05:06 AM

i am trying to see what is the throughput our application is providing for eacch organisation/by any other criteria like host server something like that. Thats the exact format i am also looking for

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎08-24-2018 03:55 AM

The above query doesnt work since the OrgName becomes the actual organization field names. ///
bit confused here.. not sure how OrgName becomes the actual organization field names?!?!?
do you already have a field called OrgName in the events itself ah?!?!

0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎08-24-2018 05:05 AM

yes. Thats the problem

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...