Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

highest event count in given time frame per seconds

ronport2020
New Member
‎11-17-2020 11:25 AM

I'm trying to do the following search based on my index 'transactions' and field name called 'customers' for a custom time range

 

Top 10 highest historical peak rates averaged over the following intervals (1 sec, 10 sec, 60 sec, 5 min)

Top 10 highest daily transaction counts

Labels (2)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-17-2020 06:38 PM 
...
| bin span=1s _time 
| stats count by _time
| stats max(count) as "winner winner chicken dinner"

That's probably your basic need right there.  Change "span=..." to whatever you need.  'count' is probably what you want to use for the counts, but the peak rates - you don't tell us how those even might be calculated. It might be "max(fieldname)" or something else. 

Note, I think by second probably isn't gonna be a very fast thing to do over a longer period of time.  There are 86,400 if those it'll calculate every day...

Report acceleration may help, and/or building a data model and accelerating that.  Or using tstats if they're indexed fields you are fiddling with.  Lastly, this might actually be a good use for using a summary index.

All of those things are easily able to be found with a search of (using google syntax, but I think most search engines follow that?) 'Splunk report acceleration site:docs.splunk.com' (obviously, change the keywords in there).

Happy Splunking,

Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top