How can I calculate in real-time the data rate (kbps) of events being indexed?

1	I would like to find out how much data per second (let's say in kilobytes per second) my indexer is receiving and indexing. What search could help me find this out? performance indexing eps asked 23 Sep '11, 08:45 hexx ♦ 7.5k●1●9●41 accept rate: 51% edited 07 Oct '11, 00:41

One Answer:

oldest newest most voted

Run the following search over the time range real-time(all time) and you will be able to see what the incoming data rate (in kilobytes of rawdata per second) for a given subset of event looks like :

host=hypodermic_noodle | eval search_time=now() | eval seconds_elapsed=(time() - search_time) | eval secs=if(seconds_elapsed<0,"1",seconds_elapsed) | eval esize=((len(_raw)/1024)) | stats sum(esize) as sum_esize, last(secs) AS seconds | stats last(sum_esize) AS "event rawdata indexed (kb)", last(seconds) AS "search seconds elapsed", last(eval(sum_esize/seconds)) AS kbps

This example targets a specific host, but feel free to change the first search terms to better suit your needs.

link

answered 23 Sep '11, 08:49

hexx ♦
7.5k●1●9●41
accept rate: 51%

edited 23 Sep '11, 08:50

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

indexing ×326
performance ×147
eps ×8

Asked: 23 Sep '11, 08:45

Seen: 490 times

Last updated: 07 Oct '11, 00:41

How can I calculate in real-time the data rate (kbps) of events being indexed?

Follow this question

Splunk Resources

Related questions