Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timechart: show rate derived from total count

aluetjen
Explorer
‎05-20-2014 10:27 PM

Very frequently, I collect statistics in the form of absolute values like "Total number of requests", "Size of queue" etc.

Is there an easy way to show the change rate in a timechart?

Let's say we have the following simple timechart that shows the egress of messages per queue per minute:

timechart span=1m max(total_egress) by queue

Data: 0 - 10 - 20 - 200

How I can convert this to messages sent per minute per queue?

Data: 0 - 10 - 10 - 180

I found something like this http://answers.splunk.com/answers/59617/show-proper-rate-of-a-continually-increasing-value but it is way to elaborate for my taste. I would like to able to calculate that rate ad hoc in a search.

Or there is http://answers.splunk.com/answers/46472/find-rate-from-total but that doesn't work if I need the rate by queue.

Tags (1)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-20-2014 11:08 PM

Hi aluetjen,

here are some run everywhere examples for the messages sent per minute per queue

index=_internal earliest=-15m@m | timechart span=1m count by series
index=_internal earliest=-15m@m | timechart span=1m sum(kbps) AS mySum by series

and if you want to use delta on this

index=_internal earliest=-15m@m | bucket _time span=1m | stats count AS myCount by series, _time | delta myCount
index=_internal earliest=-15m@m | bucket _time span=1m | stats sum(kbps) AS mySum by series, _time | delta mySum

The count examples will give you a total count of events for each series and the sum example will sum the values of the given field, in this case kbps of each series.

hope this helps to get you started ...

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...