Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Peak hourly volume monthly wise for last 3 months.

Allampally
Path Finder
‎03-09-2024 06:25 AM

Hi Team,

I want to calculate peak hourly volume of each month for each service. Each service can have different peak times and first need to calculate peak hour of each component for the month. Likewise calculate for last 3 months. Then calculate the average of 3 months peak hourly volume.
Below table is the sample requirement.

 January-24February-24March-24Avg Volume
service120502030
service24385
service320304030
service43000030000900023000
service5200300400300
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2024 01:08 AM 
| bin _time span=1h
| stats count as volume by _time component
| bin _time span=1mon
| chart max(volume) as volume by component _time
| addtotals
| eval Average=Total/3

View solution in original post

Reply
Solved! Jump to solution

Allampally
Path Finder
‎03-11-2024 06:59 AM

Thanks @ITWhisperer - It worked for me

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-09-2024 07:30 AM 
| bin _time span=1h
| stats sum(volume) as volume by _time component
| bin _time span=1mon
| chart max(volume) as volume by component _time
| addtotals
| eval Average=Total/3
0 Karma
Reply
Solved! Jump to solution

Allampally
Path Finder
‎03-09-2024 08:17 AM

 

What is the field used as "volume" ? Is it similar to "count" in stats to get volume ? 

I tried this but not working and tried a portion of your query 

| bin _time span=1h
| stats sum(count) as volume by _time component

Its not reporting anything under volume

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2024 03:07 PM

Count is not the same as volume. Unless you have a synthetic field added during ingestion (or use summary indexing), you have to calculate it manually (unfortunately you cannot use tstats for that so it's gonna be costly since every single matching event has to be read and "measured")

index=whatever <your other conditions>
| eval eventlength=len(_raw)

Now you can do some summarizing

| bin _time span=1h
| stats sum(eventlength) as volume by source component whatever

This will give you one hour volumes. Now you can do with it whatever you want. Like the stats @ITWhisperer  already posted.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-09-2024 08:20 AM

Since you didn't provide any sample events I had to guess - since you still haven't provided any sample events I can only guess whether this is right or not. Since it apparently isn't giving what you want, I would guess it isn't right. In your search, what is count? Is it a field in your events?

0 Karma
Reply
Solved! Jump to solution

Allampally
Path Finder
‎03-09-2024 08:46 AM

This is the sample stats command for my log. 

index=company app=abc | stats count by component

I don't have field for volume. We have to calculate volume from the stats count. 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2024 01:08 AM 
| bin _time span=1h
| stats count as volume by _time component
| bin _time span=1mon
| chart max(volume) as volume by component _time
| addtotals
| eval Average=Total/3
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...