Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timechart: show rate derived from total count

aluetjen
Explorer
‎05-20-2014 10:27 PM

Very frequently, I collect statistics in the form of absolute values like "Total number of requests", "Size of queue" etc.

Is there an easy way to show the change rate in a timechart?

Let's say we have the following simple timechart that shows the egress of messages per queue per minute:

timechart span=1m max(total_egress) by queue

Data: 0 - 10 - 20 - 200

How I can convert this to messages sent per minute per queue?

Data: 0 - 10 - 10 - 180

I found something like this http://answers.splunk.com/answers/59617/show-proper-rate-of-a-continually-increasing-value but it is way to elaborate for my taste. I would like to able to calculate that rate ad hoc in a search.

Or there is http://answers.splunk.com/answers/46472/find-rate-from-total but that doesn't work if I need the rate by queue.

Tags (1)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-20-2014 11:08 PM

Hi aluetjen,

here are some run everywhere examples for the messages sent per minute per queue

index=_internal earliest=-15m@m | timechart span=1m count by series
index=_internal earliest=-15m@m | timechart span=1m sum(kbps) AS mySum by series

and if you want to use delta on this

index=_internal earliest=-15m@m | bucket _time span=1m | stats count AS myCount by series, _time | delta myCount
index=_internal earliest=-15m@m | bucket _time span=1m | stats sum(kbps) AS mySum by series, _time | delta mySum

The count examples will give you a total count of events for each series and the sum example will sum the values of the given field, in this case kbps of each series.

hope this helps to get you started ...

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...