Hi,
I'm new to Splunk and I'm looking for some help with plotting a timechart to show requests per sec. Thanks in advance.
I currently have a dashboard panel that shows transactions (or requests)/second. The user chooses the time range and span from a drop-down and TPS is plotted for that time range. This is the search I'm using.
search string | timechart span=$tok_span$ count | timechart per_second(count)
This works great, but the search string returns all services grouped under a certain category that is filtered by the url string.
Now I need to plot the same metric (TPS) for each service (and there is like 10 of them). I have an eventtype created for each service.
My problem is timechart per_second() works only for a single integer value count, but I want to be able to plot this for each service on the same timechart.
Any thoughts are greatly appreciated. Thanks!
Give this a try
search string | bucket span=$tok_span$ _time | stats count by _time eventtype| timechart per_second(count) by eventtypye
Give this a try
search string | bucket span=$tok_span$ _time | stats count by _time eventtype| timechart per_second(count) by eventtypye
Does exactly what I was looking for. Thanks a bunch! The only thing is, its slow to load when the time range is > 4 hours. I came across summary indexing which may help with performance I think. I will try to explore that. But this is great, thanks again.
You say timechart is only working for a single integer value count, but that's not quite true. Based on your description, you should be able to use a 'by' grouping clause:
... timechart span=$tok_span$ count by service
Or am I misunderstanding what you are trying to achieve?
Sorry maybe I was not clear. I can do by on the first timechart command and it shows me the timechart by service for the span selected. So if the time range selected was say 4 hours the default span I think is 1 min and so the count is per min but the metric I'm looking for is transactions per second.
I'm not able to do timechart per_second(count) by eventtype
If I instead just use 1 timechart command after the search like below the # events returned is too high and so gets truncated for a larger window.
search | timechart span=1s count