Splunk Search
Highlighted

How to show max TPS with trendline

Path Finder

I'm trying to show MAX TPS on a single value panel, with a trendline.
Showing just TPS is easy:

<search> earliest=1h   |eval TPS = 1  | timechart per_second(TPS) as TPS

That works as it should on a singe value panel.

Now on a second single value panel I want to show max TPS over the same time period, also with a trendline. I cant figure out the query to do so using timechart.

I have a feeling this is Splunk 101 stuff and I should know this but I am stuck.
Help please

0 Karma
Highlighted

Re: How to show max TPS with trendline

SplunkTrust
SplunkTrust

hello there:

try this: <search> earliest=1h   |eval TPS = 1  | timechart span=1s max(TPS) as TPS

hope it helps

0 Karma
Highlighted

Re: How to show max TPS with trendline

Path Finder

sorry @adonio, I wish it was that easy.
what I get is a TPS value of 1 (since I previously defined it with the eval statement).

I tried changing it to timechart span=1s max(count) as TPS but that gave me a "0".. not sure why. I would have thought that would work. A simple timechart span=1s count AS TPS does give me values, just not the MAX.

0 Karma
Highlighted

Re: How to show max TPS with trendline

SplunkTrust
SplunkTrust

hey this query shows avg TPS,max TPS ,max time in a single search

 index=<your_index>
 | timechart span=1s count AS TPS
 | eventstats max(TPS) as peakTPS
 | eval peakTime=if(peakTPS==TPS,_time,null())
 | stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime
 | fieldformat peakTime=strftime(peakTime,"%x %X")

The eventstats command calculates the peakTPS and then the following eval command determines when that peakTPS occurred.
let me know if this helps !

View solution in original post

Highlighted

Re: How to show max TPS with trendline

Path Finder

I saw that answer too @mayurr98, but it won't work for me because I need to show a single value, with a trendline. "stats" since it is does not have a time component will not allow for a trend line to be displayed

0 Karma
Highlighted

Re: How to show max TPS with trendline

SplunkTrust
SplunkTrust

Well you can modify this query

index=<your_index>
  | timechart span=1s count AS TPS
  | eventstats max(TPS) as peakTPS
  | timechart span=1s first(peakTPS) as peakTPS

Let me know if this helps !

0 Karma
Highlighted

Re: How to show max TPS with trendline

Path Finder

That's closer! At least I get a value for peakTPS now.
What's missing is that the trendline is flat "0.0".

That's probably due to the eventstats not having a time component. However changing it to | eventstats max(TPS) as peakTPS by _time doesn't work either as the last timechart statement will only pick up the first peakTPS value....which isn't the highest.

0 Karma
Highlighted

Re: How to show max TPS with trendline

SplunkTrust
SplunkTrust

Okay try this

index=<your_index> l timechart span=1s count as TPS | timechart max(TPS)
0 Karma
Highlighted

Re: How to show max TPS with trendline

Path Finder

Well I get a TPS (but not max) and a trendline, so 50/50 🙂
I dont thinik I have enough karma to post a direct url of a screenshot... but let me try

https://www.screencast.com/t/tVUoz1oYJjAq

0 Karma
Highlighted

Re: How to show max TPS with trendline

Path Finder

Copy/paste that url and you will see that the max_tps is not really the maximum. There are other higher values there but its not displaying those higher values.

for this example, the query is really simple
index=main | timechart span=1s count AS TPS | timechart span=1s max(TPS) AS Max_TPS

the time window is "last 2 minutes" ...super duper simple that it should work without question. pulling my hair out 😞

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.