Splunk Search

How to show max TPS with trendline

Path Finder

I'm trying to show MAX TPS on a single value panel, with a trendline.
Showing just TPS is easy:

<search> earliest=1h   |eval TPS = 1  | timechart per_second(TPS) as TPS

That works as it should on a singe value panel.

Now on a second single value panel I want to show max TPS over the same time period, also with a trendline. I cant figure out the query to do so using timechart.

I have a feeling this is Splunk 101 stuff and I should know this but I am stuck.
Help please

0 Karma
1 Solution

Super Champion

hey this query shows avg TPS,max TPS ,max time in a single search

 | timechart span=1s count AS TPS
 | eventstats max(TPS) as peakTPS
 | eval peakTime=if(peakTPS==TPS,_time,null())
 | stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime
 | fieldformat peakTime=strftime(peakTime,"%x %X")

The eventstats command calculates the peakTPS and then the following eval command determines when that peakTPS occurred.
let me know if this helps !

View solution in original post

Path Finder

Adding a comment up here for visibility since the thread is getting deep

I tried

index=main    | timechart span=1s  count AS TPS | timechart span=1s max(TPS) AS Max_TPS

using a 2 minute window.

I do get a TPS value, and a trendline, but not the max TPS. See this URL for the output:


You can see that the MAX_TPS is not really displaying the maximum high value

0 Karma

Path Finder

@mayurr98 comments led me to the answer. I needed a 2nd timechart command that used the same time window. That gave me the correct max tps and a trendline.

index=main | eval TPS=1 | timechart per_second(TPS) AS TPS | timechart span=2m max(TPS)

0 Karma

Super Champion

hey this query shows avg TPS,max TPS ,max time in a single search

 | timechart span=1s count AS TPS
 | eventstats max(TPS) as peakTPS
 | eval peakTime=if(peakTPS==TPS,_time,null())
 | stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime
 | fieldformat peakTime=strftime(peakTime,"%x %X")

The eventstats command calculates the peakTPS and then the following eval command determines when that peakTPS occurred.
let me know if this helps !

Path Finder

I saw that answer too @mayurr98, but it won't work for me because I need to show a single value, with a trendline. "stats" since it is does not have a time component will not allow for a trend line to be displayed

0 Karma

Super Champion

Well you can modify this query

  | timechart span=1s count AS TPS
  | eventstats max(TPS) as peakTPS
  | timechart span=1s first(peakTPS) as peakTPS

Let me know if this helps !

0 Karma

Path Finder

That's closer! At least I get a value for peakTPS now.
What's missing is that the trendline is flat "0.0".

That's probably due to the eventstats not having a time component. However changing it to | eventstats max(TPS) as peakTPS by _time doesn't work either as the last timechart statement will only pick up the first peakTPS value....which isn't the highest.

0 Karma

Super Champion

Okay try this

index=<your_index> l timechart span=1s count as TPS | timechart max(TPS)
0 Karma

Path Finder

Well I get a TPS (but not max) and a trendline, so 50/50 🙂
I dont thinik I have enough karma to post a direct url of a screenshot... but let me try


0 Karma

Path Finder

Copy/paste that url and you will see that the max_tps is not really the maximum. There are other higher values there but its not displaying those higher values.

for this example, the query is really simple
index=main | timechart span=1s count AS TPS | timechart span=1s max(TPS) AS Max_TPS

the time window is "last 2 minutes" ...super duper simple that it should work without question. pulling my hair out 😞

0 Karma

Path Finder

I think I have it figured out

index=main    | eval TPS=1 | timechart per_second(TPS) AS TPS |  timechart span=2m  max(TPS)

the "span" in the 2nd timechart has to match the time window that I want. Once I change that, it does give me the max TPS

0 Karma

Ultra Champion

hello there:

try this: <search> earliest=1h   |eval TPS = 1  | timechart span=1s max(TPS) as TPS

hope it helps

0 Karma

Path Finder

sorry @adonio, I wish it was that easy.
what I get is a TPS value of 1 (since I previously defined it with the eval statement).

I tried changing it to timechart span=1s max(count) as TPS but that gave me a "0".. not sure why. I would have thought that would work. A simple timechart span=1s count AS TPS does give me values, just not the MAX.

0 Karma
Get Updates on the Splunk Community!

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...