Timechart: show rate derived from total count

aluetjen · ‎05-20-2014

Very frequently, I collect statistics in the form of absolute values like "Total number of requests", "Size of queue" etc.

Is there an easy way to show the change rate in a timechart?

Let's say we have the following simple timechart that shows the egress of messages per queue per minute:

timechart span=1m max(total_egress) by queue

Data: 0 - 10 - 20 - 200

How I can convert this to messages sent per minute per queue?

Data: 0 - 10 - 10 - 180

I found something like this http://answers.splunk.com/answers/59617/show-proper-rate-of-a-continually-increasing-value but it is way to elaborate for my taste. I would like to able to calculate that rate ad hoc in a search.

Or there is http://answers.splunk.com/answers/46472/find-rate-from-total but that doesn't work if I need the rate by queue.

MuS · ‎05-20-2014

Hi aluetjen,

here are some run everywhere examples for the messages sent per minute per queue

index=_internal earliest=-15m@m | timechart span=1m count by series
index=_internal earliest=-15m@m | timechart span=1m sum(kbps) AS mySum by series

and if you want to use delta on this

index=_internal earliest=-15m@m | bucket _time span=1m | stats count AS myCount by series, _time | delta myCount
index=_internal earliest=-15m@m | bucket _time span=1m | stats sum(kbps) AS mySum by series, _time | delta mySum

The count examples will give you a total count of events for each series and the sum example will sum the values of the given field, in this case kbps of each series.

hope this helps to get you started ...

cheers, MuS

Timechart: show rate derived from total count

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!