Re: Average Hits per Minute by Distinct SourceIP

mattreidy · ‎02-28-2011

I'm interested to know the average hits per minute by distinct source IP address from my web log data for a given time period.

(I'm sure this is REALLY simple but I've yet to figure it out...)

Thanks!

tgow · ‎03-03-2011

Is the search you are looking for:

... | bucket _time span=1m | stats dc(clientip) as dcip count(clientip) as totalcount by _time | eval avg_hit=(totalcount/dcip) | fields + _time, avg_hit

gkanapathy · ‎03-01-2011

Sounds to me like you really want the count of distinct source IPs, not the count by each source IP.

... | timechart span=1m distinct_count(src_ip)

dwaddle · ‎02-28-2011

This sounds like a good use of timechart, something like

my_search | timechart useother=false span=1m count(_raw) by src_ip

gkanapathy · ‎03-01-2011

The above is giving you the count of hits per distinct src_ip. But I suppose what you want is the count of distinct src_ip values, which is ... | timechart span=1m distinct_count(src_ip)

dwaddle · ‎02-28-2011

So lemme see here matt -- are you looking to reduce this to a single value per time period that is the avg# of per-ip hits? If so, the above search should be easily adjustable to do that. Please advise.

mattreidy · ‎02-28-2011

This gives me the raw count, but what I'm really after is the average of the count per IP...

Average Hits per Minute by Distinct SourceIP

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation