Splunk Search

How to create a timechart that includes the count of distinct IP addresses with the count and average of transactions by request type?

JeToJedno
Explorer

I want to create a timechart which has results:
- count of distinct IP addresses
- average of transaction response time, by request type
- count of transactions, by request type

Each request has an IP address, a type, and a transaction response time.

I can't find a way to create or add the count of distinct IP addresses without doing a second pass through the logs, which is inefficient as we have ~750,000 txns per hour.

I've tried many different combinations of bin, stats, chart, & timechart, and I got close (a column for each transaction_type of distinct_ip_addresses, count of transactions, sum of response_time), but then couldn't find a way to create the max(distinct_ip_addresses) across the 8 fields (columns) created.

Any advice (or a better way)?

0 Karma

somesoni2
Revered Legend

Try something like this

Your base search with fields _time ip_address request_type response_time 
| bucket span=1h _time 
| stats count sum(response_time) as response_time by _time  ip_address request_type 
| stats dc(ip_address) as uniq_ips sum(count) as transaction_count sum(response_time) as response_time) by _time request_type 
| eval avg_response_time=round(response_time/transaction_count,2) | fields - response_time 
| chart values(uniq_ips) values(avg_response_time) values(transaction_count) over _time by request_type

JeToJedno
Explorer

Many thanks. That's very close. I added "AS" clauses to the values(), but I'm missing a final step - how do I combine the multiple uniq_ips into a single one (using max)?
All the methods I've tried don't work with globing, e.g. eval max(uniq_ip:*), and I don;t want to detail each transaction type as I'd then need to keep track of what the architects and development teams are doing and update the analysis each time they add a new transaction type ...

0 Karma

JeToJedno
Explorer

I added the following, in place of the chart line:
| eventstats allnum=false max(uniq_ips) as max_uniq_ips by _time | fields - uniq_ips

Now I just need to form an appropriate chart line to create a single value ...

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...