Splunk Search

How to show max TPS with trendline

randy_moore
Path Finder

I'm trying to show MAX TPS on a single value panel, with a trendline.
Showing just TPS is easy:

<search> earliest=1h   |eval TPS = 1  | timechart per_second(TPS) as TPS

That works as it should on a singe value panel.

Now on a second single value panel I want to show max TPS over the same time period, also with a trendline. I cant figure out the query to do so using timechart.

I have a feeling this is Splunk 101 stuff and I should know this but I am stuck.
Help please

0 Karma
1 Solution

mayurr98
Super Champion

hey this query shows avg TPS,max TPS ,max time in a single search

 index=<your_index>
 | timechart span=1s count AS TPS
 | eventstats max(TPS) as peakTPS
 | eval peakTime=if(peakTPS==TPS,_time,null())
 | stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime
 | fieldformat peakTime=strftime(peakTime,"%x %X")

The eventstats command calculates the peakTPS and then the following eval command determines when that peakTPS occurred.
let me know if this helps !

View solution in original post

randy_moore
Path Finder

Adding a comment up here for visibility since the thread is getting deep

I tried

index=main    | timechart span=1s  count AS TPS | timechart span=1s max(TPS) AS Max_TPS

using a 2 minute window.

I do get a TPS value, and a trendline, but not the max TPS. See this URL for the output:

https://www.screencast.com/t/tVUoz1oYJjAq

You can see that the MAX_TPS is not really displaying the maximum high value

0 Karma

randy_moore
Path Finder

@mayurr98 comments led me to the answer. I needed a 2nd timechart command that used the same time window. That gave me the correct max tps and a trendline.

index=main | eval TPS=1 | timechart per_second(TPS) AS TPS | timechart span=2m max(TPS)

0 Karma

mayurr98
Super Champion

hey this query shows avg TPS,max TPS ,max time in a single search

 index=<your_index>
 | timechart span=1s count AS TPS
 | eventstats max(TPS) as peakTPS
 | eval peakTime=if(peakTPS==TPS,_time,null())
 | stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime
 | fieldformat peakTime=strftime(peakTime,"%x %X")

The eventstats command calculates the peakTPS and then the following eval command determines when that peakTPS occurred.
let me know if this helps !

randy_moore
Path Finder

I saw that answer too @mayurr98, but it won't work for me because I need to show a single value, with a trendline. "stats" since it is does not have a time component will not allow for a trend line to be displayed

0 Karma

mayurr98
Super Champion

Well you can modify this query

index=<your_index>
  | timechart span=1s count AS TPS
  | eventstats max(TPS) as peakTPS
  | timechart span=1s first(peakTPS) as peakTPS

Let me know if this helps !

0 Karma

randy_moore
Path Finder

That's closer! At least I get a value for peakTPS now.
What's missing is that the trendline is flat "0.0".

That's probably due to the eventstats not having a time component. However changing it to | eventstats max(TPS) as peakTPS by _time doesn't work either as the last timechart statement will only pick up the first peakTPS value....which isn't the highest.

0 Karma

mayurr98
Super Champion

Okay try this

index=<your_index> l timechart span=1s count as TPS | timechart max(TPS)
0 Karma

randy_moore
Path Finder

Well I get a TPS (but not max) and a trendline, so 50/50 🙂
I dont thinik I have enough karma to post a direct url of a screenshot... but let me try

https://www.screencast.com/t/tVUoz1oYJjAq

0 Karma

randy_moore
Path Finder

Copy/paste that url and you will see that the max_tps is not really the maximum. There are other higher values there but its not displaying those higher values.

for this example, the query is really simple
index=main | timechart span=1s count AS TPS | timechart span=1s max(TPS) AS Max_TPS

the time window is "last 2 minutes" ...super duper simple that it should work without question. pulling my hair out 😞

0 Karma

randy_moore
Path Finder

I think I have it figured out

index=main    | eval TPS=1 | timechart per_second(TPS) AS TPS |  timechart span=2m  max(TPS)

the "span" in the 2nd timechart has to match the time window that I want. Once I change that, it does give me the max TPS

0 Karma

adonio
Ultra Champion

hello there:

try this: <search> earliest=1h   |eval TPS = 1  | timechart span=1s max(TPS) as TPS

hope it helps

0 Karma

randy_moore
Path Finder

sorry @adonio, I wish it was that easy.
what I get is a TPS value of 1 (since I previously defined it with the eval statement).

I tried changing it to timechart span=1s max(count) as TPS but that gave me a "0".. not sure why. I would have thought that would work. A simple timechart span=1s count AS TPS does give me values, just not the MAX.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...