I'm looking at behavior of a service which consumes messages about products, the unifying factor being a field called UPC. In theory there should just be a single message sent across per UPC, but I know this is often not the case and regularly see up to 20 messages per UPC come across.
I'm not concerned with individual UPCs here, but with aggregate data: what's the average number of messages per UPC over the 50000 UPCs we saw come through? The median? The maximum?
I can get these with the transaction command:
**sourcetype=blahblah | transaction UPC_CODE | timechart span=1m max(eventcount),median(eventcount),avg(eventcount)**
But this is really slow and I can't help but think there is a more efficient way to do this.
Try this:
sourcetype=blahblah | stats count BY UPC_CODE
Then add on this:
... | stats max(count) median(count) avg(count)