Very frequently, I collect statistics in the form of absolute values like "Total number of requests", "Size of queue" etc.
Is there an easy way to show the change rate in a timechart?
Let's say we have the following simple timechart that shows the egress of messages per queue per minute:
timechart span=1m max(total_egress) by queue
Data: 0 - 10 - 20 - 200
How I can convert this to messages sent per minute per queue?
Data: 0 - 10 - 10 - 180
I found something like this http://answers.splunk.com/answers/59617/show-proper-rate-of-a-continually-increasing-value but it is way to elaborate for my taste. I would like to able to calculate that rate ad hoc in a search.
Or there is http://answers.splunk.com/answers/46472/find-rate-from-total but that doesn't work if I need the rate by queue.
here are some run everywhere examples for the messages sent per minute per queue
index=_internal earliest=-15m@m | timechart span=1m count by series
index=_internal earliest=-15m@m | timechart span=1m sum(kbps) AS mySum by series
and if you want to use delta on this
index=_internal earliest=-15m@m | bucket _time span=1m | stats count AS myCount by series, _time | delta myCount
index=_internal earliest=-15m@m | bucket _time span=1m | stats sum(kbps) AS mySum by series, _time | delta mySum
The count examples will give you a total count of events for each series and the sum example will sum the values of the given field, in this case kbps of each series.
hope this helps to get you started ...