Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- graphing a logs per second value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using this query to graph how many web requests are being logged per second:
index="bigip_ltm" (event=HTTP_REQUEST OR event=HTTP_RESPONSE) client_ip=1.2.3.4 | timechart count(event) by event
But, in line with many questions here, the count() is graphed over a time interval derived from the search period. I've tried many permutations of span=1s, bucket commands etc, but I can't work out how to plot an average one second value over whatever period of time is represented on the graph.
In this question http://splunk-base.splunk.com/answers/46978/average-field-value-per-second the "per_second" data is in the logs, but i want a per_second of the count of the number of logs, so one step further removed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this question and its answers can help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this question and its answers can help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, that's pretty useful. I thought there needed to be another aggregation stage but couldn't work out what it might be.
I've now got this
index="bigip_ltm" (event=HTTP_REQUEST OR event=HTTP_RESPONSE) client_ip=1.2.3.4 | timechart count by event | timechart per_second(HTTP_REQUEST) per_second(HTTP_RESPONSE)
I don't like having to field values end up as static field names, but I presume that's pretty much unavoidable? There's no way to graph all the "event" values implicitly?
Either way, that's got me what I asked for! thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
