subquery to get average throughput

rakesh_498115 · ‎06-12-2012

Hi ,

I need to find the average throughput of the sales transaction.ie no of requests /no of responses * 100 .. so i have used the subsearch like this ..but couldnt get the results..

soucetype="X" POST [ soucetype="X" GET | stats count as TotalReq ] | stats count as TotalRes | eval Throughput=(TotalReq*100)/TotalRes | table Throughput

But this didnt work..need help on this..

sideview · ‎06-12-2012

the approach you're intuitively looking for is more like the 'appendcols' param.

What your current subsearch will do, in a literal sense, is add the following search term to the 'outer' search: TotalReq="117", which is not going to be useful.

However, what you want to do instead of using any kind of square bracket syntax, is extract the values GET and POST from the raw events (they may already be extracted as a field called 'method', and then things get much easier.

For example, this will automatically give you a percent column:

sourcetype="X" | top method

but if you want to generate things more manually, you can still do things like this:

sourcetype="X" | eventstats count as totalCount | stats first(totalCount) as totalCount count by method | eval throughput=count*100/totalCount

The eventstats and streamstats commands are both useful for places where you feel like you need to process the data twice, places where often people reach out to subsearches and append/join initially.

subquery to get average throughput

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM