I want to query my access logs to learn where the majority of my traffic is coming from in 1 second buckets. This is my query.
sourcetype="access*" | timechart span=1s values(clientip) as ips, mode(clientip) as mode, count(mode) as hits
I get good data results for ips and mode. The first is a list of ip addresses and the second is the most frequent value in that list. The problem with this query is that hits is always zero. Can anyone please tell me how I can count the number of times the mode value appears in the result set?
This should work and it is all in a single search pipeline (no subsearches).
sourcetype="access*" | bin _time span="1s" | eventstats mode(clientip) as modeClientip by _time | eval isModeValue=if(clientip=modeClientip,1,0) | timechart span=1s values(clientip) as ips, mode(clientip) as mode, sum(isModeValue) as hits
eventstats makes a pass through the entire incoming set, and paints a little "modeClientip" field on each row. the value of modeClientip will be the mode(clientip) within the given 1second time bucket. Then we make a little boolean field called isModeValue, then at the end timechart has a very easy job.
Note that the span of the bin command and the span of the timechart command have to match or confusing things might happen.
I don't think there is a way to do this in a simple search. The only way I can think of uses a subsearch.
sourcetype="access*" | eval modeValue = [ search sourcetype="access*" | | timechart span=1s mode(clientip) as mode | return $mode ] | timechart span=1s values(clientip) as ips, mode(clientip) as mode, count(eval(clientip=modeValue)) as hits
This actually runs through the data twice. The subsearch returns the clientip value that is the most frequent value.