highest event count in given time frame per second...

ronport2020 · ‎11-17-2020

I'm trying to do the following search based on my index 'transactions' and field name called 'customers' for a custom time range

Top 10 highest historical peak rates averaged over the following intervals (1 sec, 10 sec, 60 sec, 5 min)

Top 10 highest daily transaction counts

Richfez · ‎11-17-2020

...
| bin span=1s _time 
| stats count by _time
| stats max(count) as "winner winner chicken dinner"

That's probably your basic need right there. Change "span=..." to whatever you need. 'count' is probably what you want to use for the counts, but the peak rates - you don't tell us how those even might be calculated. It might be "max(fieldname)" or something else.

Note, I think by second probably isn't gonna be a very fast thing to do over a longer period of time. There are 86,400 if those it'll calculate every day...

Report acceleration may help, and/or building a data model and accelerating that. Or using tstats if they're indexed fields you are fiddling with. Lastly, this might actually be a good use for using a summary index.

All of those things are easily able to be found with a search of (using google syntax, but I think most search engines follow that?) 'Splunk report acceleration site:docs.splunk.com' (obviously, change the keywords in there).

Happy Splunking,

Rich

highest event count in given time frame per seconds

count

stats

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM