I'm trying to show MAX TPS on a single value panel, with a trendline.
Showing just TPS is easy:
<search> earliest=1h |eval TPS = 1 | timechart per_second(TPS) as TPS
That works as it should on a singe value panel.
Now on a second single value panel I want to show max TPS over the same time period, also with a trendline. I cant figure out the query to do so using timechart.
I have a feeling this is Splunk 101 stuff and I should know this but I am stuck.
sorry @adonio, I wish it was that easy.
what I get is a TPS value of 1 (since I previously defined it with the eval statement).
I tried changing it to timechart span=1s max(count) as TPS but that gave me a "0".. not sure why. I would have thought that would work. A simple timechart span=1s count AS TPS does give me values, just not the MAX.
hey this query shows
avg TPS,max TPS ,max time in a single search
index=<your_index> | timechart span=1s count AS TPS | eventstats max(TPS) as peakTPS | eval peakTime=if(peakTPS==TPS,_time,null()) | stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime | fieldformat peakTime=strftime(peakTime,"%x %X")
The eventstats command calculates the peakTPS and then the following eval command determines when that peakTPS occurred.
let me know if this helps !
I saw that answer too @mayurr98, but it won't work for me because I need to show a single value, with a trendline. "stats" since it is does not have a time component will not allow for a trend line to be displayed
Well you can modify this query
index=<your_index> | timechart span=1s count AS TPS | eventstats max(TPS) as peakTPS | timechart span=1s first(peakTPS) as peakTPS
Let me know if this helps !
That's closer! At least I get a value for peakTPS now.
What's missing is that the trendline is flat "0.0".
That's probably due to the eventstats not having a time component. However changing it to | eventstats max(TPS) as peakTPS by _time doesn't work either as the last timechart statement will only pick up the first peakTPS value....which isn't the highest.
Copy/paste that url and you will see that the max_tps is not really the maximum. There are other higher values there but its not displaying those higher values.
for this example, the query is really simple
index=main | timechart span=1s count AS TPS | timechart span=1s max(TPS) AS Max_TPS
the time window is "last 2 minutes" ...super duper simple that it should work without question. pulling my hair out 😞