Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a timechart that includes the count of distinct IP addresses with the count and average of transactions by request type?

JeToJedno
Explorer
‎02-10-2016 10:53 AM

I want to create a timechart which has results:
- count of distinct IP addresses
- average of transaction response time, by request type
- count of transactions, by request type

Each request has an IP address, a type, and a transaction response time.

I can't find a way to create or add the count of distinct IP addresses without doing a second pass through the logs, which is inefficient as we have ~750,000 txns per hour.

I've tried many different combinations of bin, stats, chart, & timechart, and I got close (a column for each transaction_type of distinct_ip_addresses, count of transactions, sum of response_time), but then couldn't find a way to create the max(distinct_ip_addresses) across the 8 fields (columns) created.

Any advice (or a better way)?

0 Karma
Reply

somesoni2
Revered Legend
‎02-10-2016 11:18 AM

Try something like this

Your base search with fields _time ip_address request_type response_time 
| bucket span=1h _time 
| stats count sum(response_time) as response_time by _time  ip_address request_type 
| stats dc(ip_address) as uniq_ips sum(count) as transaction_count sum(response_time) as response_time) by _time request_type 
| eval avg_response_time=round(response_time/transaction_count,2) | fields - response_time 
| chart values(uniq_ips) values(avg_response_time) values(transaction_count) over _time by request_type
Reply

JeToJedno
Explorer
‎02-11-2016 02:32 AM

Many thanks. That's very close. I added "AS" clauses to the values(), but I'm missing a final step - how do I combine the multiple uniq_ips into a single one (using max)?
All the methods I've tried don't work with globing, e.g. eval max(uniq_ip:*), and I don;t want to detail each transaction type as I'd then need to keep track of what the architects and development teams are doing and update the analysis each time they add a new transaction type ...

0 Karma
Reply

JeToJedno
Explorer
‎02-11-2016 03:07 AM

I added the following, in place of the chart line:
| eventstats allnum=false max(uniq_ips) as max_uniq_ips by _time | fields - uniq_ips

Now I just need to form an appropriate chart line to create a single value ...

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...