Splunk Search

Efficient way to get high-level messaging stats

Path Finder

I'm looking at behavior of a service which consumes messages about products, the unifying factor being a field called UPC. In theory there should just be a single message sent across per UPC, but I know this is often not the case and regularly see up to 20 messages per UPC come across.

I'm not concerned with individual UPCs here, but with aggregate data: what's the average number of messages per UPC over the 50000 UPCs we saw come through? The median? The maximum?

I can get these with the transaction command:

**sourcetype=blahblah | transaction UPC_CODE | timechart span=1m max(eventcount),median(eventcount),avg(eventcount)**

But this is really slow and I can't help but think there is a more efficient way to do this.

Tags (1)
0 Karma

Esteemed Legend

Try this:

sourcetype=blahblah | stats count BY UPC_CODE

Then add on this:

... | stats max(count) median(count) avg(count)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.