I want to create a timechart which has results:
- count of distinct IP addresses
- average of transaction response time, by request type
- count of transactions, by request type
Each request has an IP address, a type, and a transaction response time.
I can't find a way to create or add the count of distinct IP addresses without doing a second pass through the logs, which is inefficient as we have ~750,000 txns per hour.
I've tried many different combinations of bin, stats, chart, & timechart, and I got close (a column for each transaction_type of distinct_ip_addresses, count of transactions, sum of response_time), but then couldn't find a way to create the max(distinct_ip_addresses) across the 8 fields (columns) created.
Any advice (or a better way)?
Try something like this
Your base search with fields _time ip_address request_type response_time
| bucket span=1h _time
| stats count sum(response_time) as response_time by _time ip_address request_type
| stats dc(ip_address) as uniq_ips sum(count) as transaction_count sum(response_time) as response_time) by _time request_type
| eval avg_response_time=round(response_time/transaction_count,2) | fields - response_time
| chart values(uniq_ips) values(avg_response_time) values(transaction_count) over _time by request_type
Many thanks. That's very close. I added "AS" clauses to the values(), but I'm missing a final step - how do I combine the multiple uniq_ips into a single one (using max)?
All the methods I've tried don't work with globing, e.g. eval max(uniq_ip:*), and I don;t want to detail each transaction type as I'd then need to keep track of what the architects and development teams are doing and update the analysis each time they add a new transaction type ...
I added the following, in place of the chart line:
| eventstats allnum=false max(uniq_ips) as max_uniq_ips by _time | fields - uniq_ips
Now I just need to form an appropriate chart line to create a single value ...