Splunk Search

How to calculate the AVG of bytes_in per clientip?

Communicator

Hi

With this SPL, I have the average session time of each clientip in a web page.
But I do not know how to put the average bytes_in for each clientip

index=bigip host="F5-BOU-4K-A.entourage.intra"
|eval kb_in= Bytes_In/1024
| transaction session_id
| stats avg(duration) AS Avg_Session_time by Client_IP

Thank you

0 Karma
1 Solution

Communicator

Hi

You could try this without using transaction command for better performance:

index=bigip host="F5-BOU-4K-A.entourage.intra"
| stats min(_time) AS start max(_time) AS end last(Client_IP) as Client_IP values(Bytes_In) as Bytes_In by session_id 
| eval duration=end - start 
| eval _time=start 
| stats avg(duration) AS Avg_Session_Time avg(bytes_in) as Avg_Bytes_In by Client_IP
| eval kb_in= Bytes_In/1024

Hope it helps

View solution in original post

Communicator

Hi

You could try this without using transaction command for better performance:

index=bigip host="F5-BOU-4K-A.entourage.intra"
| stats min(_time) AS start max(_time) AS end last(Client_IP) as Client_IP values(Bytes_In) as Bytes_In by session_id 
| eval duration=end - start 
| eval _time=start 
| stats avg(duration) AS Avg_Session_Time avg(bytes_in) as Avg_Bytes_In by Client_IP
| eval kb_in= Bytes_In/1024

Hope it helps

View solution in original post

Communicator

Yes, It works.
So, basically it is better to use "plain" SPL rather than commands like: transaction, associate, cluster, etc; to get results faster, right?

0 Karma

Communicator

Yes. As per the doc for transaction states:

The transaction command is most useful in two specific cases:

  1. When a unique ID (from one or more fields) alone is not sufficient to discriminate between two transactions.
    This is the case when the identifier is reused, for example web sessions identified by cookie or client IP. In this case, time spans or pauses are also used to segment the data into transactions. In other cases, when an identifier is reused, for example in DHCP logs, a particular message may identify the beginning or end of a transaction.

  2. When it is desirable to see the raw text of the events combined rather than an analysis on the constituent fields of the events.

In other cases, it's usually better to use the stats command, which performs more efficiently, especially in a distributed environment. Often there is a unique ID in the events and stats can be used.

0 Karma