Splunk getting average TPS for each service

Question

I am having an issue in Splunk Enterprise regarding getting average transactions per second for my scenario. In my case I want to, for a given time period, get average transactions per second for each webservice request...

When I use following syntax its working fine:

index="index"  
| transaction "correlationId" keepevicted=true 
| timechart span=1s count as TPS 
| stats count avg(TPS)

...but then I get average transactions per second for all webservice requests.

If I try the below:

index="index"  
| transaction "correlationId"  keepevicted=true 
| timechart span=1s count as TPS 
| stats count avg(TPS) by "service"

...I dont get any result back

Is there something I am doing completely wrong here?

All help and tips are much appreciated

Answer 1

timechart is a transforming command. That means it does not pass all fields on to the next command so the stats command sees only 'count' and 'TPS' and not 'service'. Try this:

index="index"  | transaction "correlationId"  keepevicted=true 
| timechart span=1s count as TPS by service | stats count avg(TPS) by service

Answer 2

You may find a solution similar to one I needed a while back to be helpful - timechart without using timechart

index=ndx sourcetype=srctp correlationId=* service=* earliest=-60m
| eval secs=strftime(_time, "%S")
| stats dc(correlationId) as TPS by secs service
| stats avg(TPS) as avgTPS by service

Or chart instead of stats :

| chart avg(TPS) as avgTPS by service