Solved: Re: How to find the request per second by organiza...

sangs8788 · ‎08-24-2018

Hi

I have an event which is comprised of OrgName, RequestName and others. How do i find the the average & max request per sec by OrgName using per_second() function ?

I tried doing a timechart of per_sec() by OrgName. But it gives me every second, what is the per_second() with OrgName as the column names. I want to calculate average & max request per sec by OrgName ?

Could you please let me know how to achieve this.

MathiasLindblom · ‎08-24-2018

Hi,

Maybe this query can Point you in the right direction! It's not using the per_second from timechart, but should hopefully get the output you are looking for:

    <SEARCH>
        | bin _time span=1d
        | streamstats count as Req by OrgName
        | eval requestsPerMin=Req/24/60
        | eval requestsPerSec=requestsPerMin/60
        | stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

If you want to see see the result/day, add the _time to to streamstats and stats to split it per day:

<SEARCH>
| bin _time span=1d
| streamstats count as Req by OrgName, _time
| eval requestsPerMin=Req/24/60
| eval requestsPerSec=requestsPerMin/60
| stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName, _time

View solution in original post

MathiasLindblom · ‎08-24-2018

Hi,

Maybe this query can Point you in the right direction! It's not using the per_second from timechart, but should hopefully get the output you are looking for:

    <SEARCH>
        | bin _time span=1d
        | streamstats count as Req by OrgName
        | eval requestsPerMin=Req/24/60
        | eval requestsPerSec=requestsPerMin/60
        | stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

If you want to see see the result/day, add the _time to to streamstats and stats to split it per day:

<SEARCH>
| bin _time span=1d
| streamstats count as Req by OrgName, _time
| eval requestsPerMin=Req/24/60
| eval requestsPerSec=requestsPerMin/60
| stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName, _time

sangs8788 · ‎08-25-2018

Thanks ! This would work for me.

sangs8788 · ‎08-25-2018

@MathiasLindblom Sorry if i am being silly. I am bit confused here. What is the bin _time span=1d means here ? suppose i want to find the avg request per min for a week/month should i update the bin _time span =1w or bin _time span =30d

    index=data earliest=@w latest=now | bin _time span=1w
     | streamstats count as Req by OrgName, _time
     | eval requestsPerMin=Req/24/60
     | eval requestsPerSec=requestsPerMin/60
     | stats avg(requestsPerMin) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

MathiasLindblom · ‎08-30-2018

Hi @sangs8788 , sorry for the late reply!
No worries, the bin command is just to split up the events per day so I get the correct results for requestsPerMin/Sec. As I look at it again now, this search won't be 100% correct sense the current hour/day/week/month won't be showing the correct results if it haven't ended (consider using latest=@h to ignore the latest - not ended hour).

If you want the avg of this week I would suggest you use a search like the first one I posted above like this:

index=data earliest=@w latest=d@h
| bin _time span=1h
| streamstats count as Req by OrgName
| eval requestsPerMin=Req/60
| eval requestsPerSec=requestsPerMin/60
| stats avg(requestsPerSec) as avgRequestPerSec, max(requestsPerMin) as peakRequestPerMin by OrgName

This will give you the avg and max of the current week.
Good luck!

sangs8788 · ‎08-24-2018

could someone help me out on this

Below is the query which i was discussing earlier

|eval requestcount=1 | timechart per_second(requestcount) as RequestPerSec per_minute(requestcount) AS RequestPerMin by OrgName
 | timechart span=1d avg(RequestPerSec) as avgRequestPerSec max(RequestPerSec) as peakRequestPerSec

The above query doesnt work since the OrgName becomes the actual organization field names.
Could you please let me know how to compute avg & max per OrgName

MathiasLindblom · ‎08-24-2018

Hi,

Is there a special reason to why you need to use the per_second() function? Looking at the query you didn't get working it looks like you want avg and peak usage for each orgName/day? With a table like this:

OrgName1 | AvgReqPerSec | PeakReqPerSec
OrgName2 | AvgReqPerSec | PeakReqPerSec

sangs8788 · ‎08-24-2018

i am trying to see what is the throughput our application is providing for eacch organisation/by any other criteria like host server something like that. Thats the exact format i am also looking for

inventsekar · ‎08-24-2018

The above query doesnt work since the OrgName becomes the actual organization field names. ///
bit confused here.. not sure how OrgName becomes the actual organization field names?!?!?
do you already have a field called OrgName in the events itself ah?!?!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

sangs8788 · ‎08-24-2018

yes. Thats the problem

How to find the request per second by organization?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?