topic Re: How to create a timechart that includes the count of distinct IP addresses with the count and average of transactions by request type? in Splunk Search

How to create a timechart that includes the count of distinct IP addresses with the count and average of transactions by request type?

JeToJedno — Tue, 29 Sep 2020 08:47:13 GMT

I want to create a timechart which has results:
- count of distinct IP addresses
- average of transaction response time, by request type
- count of transactions, by request type

Each request has an IP address, a type, and a transaction response time.

I can't find a way to create or add the count of distinct IP addresses without doing a second pass through the logs, which is inefficient as we have ~750,000 txns per hour.

I've tried many different combinations of bin, stats, chart, & timechart, and I got close (a column for each transaction_type of distinct_ip_addresses, count of transactions, sum of response_time), but then couldn't find a way to create the max(distinct_ip_addresses) across the 8 fields (columns) created.

Any advice (or a better way)?

Re: How to create a timechart that includes the count of distinct IP addresses with the count and average of transactions by request type?

somesoni2 — Wed, 10 Feb 2016 19:18:40 GMT

Try something like this

Your base search with fields _time ip_address request_type response_time 
| bucket span=1h _time 
| stats count sum(response_time) as response_time by _time  ip_address request_type 
| stats dc(ip_address) as uniq_ips sum(count) as transaction_count sum(response_time) as response_time) by _time request_type 
| eval avg_response_time=round(response_time/transaction_count,2) | fields - response_time 
| chart values(uniq_ips) values(avg_response_time) values(transaction_count) over _time by request_type

Re: How to create a timechart that includes the count of distinct IP addresses with the count and average of transactions by request type?

JeToJedno — Tue, 29 Sep 2020 08:43:54 GMT

Many thanks. That's very close. I added "AS" clauses to the values(), but I'm missing a final step - how do I combine the multiple uniq_ips into a single one (using max)?
All the methods I've tried don't work with globing, e.g. eval max(uniq_ip:*), and I don;t want to detail each transaction type as I'd then need to keep track of what the architects and development teams are doing and update the analysis each time they add a new transaction type ...

Re: How to create a timechart that includes the count of distinct IP addresses with the count and average of transactions by request type?

JeToJedno — Tue, 29 Sep 2020 08:43:56 GMT

I added the following, in place of the chart line:
| eventstats allnum=false max(uniq_ips) as max_uniq_ips by _time | fields - uniq_ips

Now I just need to form an appropriate chart line to create a single value ...