I must confess this post and question is not properly defined. It's more a chance to pick your brains regarding investigating bandwidth usage.
We have a bunch of servers grouped by IDs. They're named as WEBXX-YY, where XX is the cluster id and YY is the node id. Each cluster serves its own application and the load is distributed between the different nodes.
My task is to investigate which application is using the most bandwidth. I ran this search to check which application uses the most bandwidth:
index=webfront sourcetype=iis host WEB* | eval hostname = split(host, "-") | eval hostname = mvindex(hostname,0) | eval sumMB = ((cs_bytes*8)/(1024*1024) + (sc_bytes*8)/(1024*1024)) | timechart span=1m per_second(sumMB) by hostname
But since the clusters have different amounts of clients it's not a fair comparison so my though was to find the average bandwidth per transaction per application. Defining transaction by c_ip and maxpause=1s, is there a way of measuring the average bandwidth per transaction per cluster?
The result table would be:
"average per_second(sumMB) per transaction", cluster
I would like to present this with a timechart.
Hope the question is somewhat clear?
Suggestions regarding alternative approaches is most welcome!
This can easily be done if you have fields defined for
transactionID (or something that allows us to generate one) and
application; do you?
Thank you for your answer!
I was more thinking to use
transaction c_ip maxpause=1s
to identify individual page loads.
Will that work?
Thanks for your answer. My intention is to make each user click/page load a transaction. So for instance if the user access /index.html that in turn refers to style.css, script.js there will be three requests:
These IIS log file entries would be considered as one transaction. Then if the user waits for more than one second before the next click it'd be considered as a new transaction.
Maybe like this (will surely need adjusting, but it should get you started):
... | transaction c_ip maxpause=1s | eval serial=_serial | stats first(duration) AS durationSeconds sum(eval(((cs_bytes*8)/(1024*1024) + (sc_bytes*8)/(1024*1024)))) AS sumMB BY c_ip serial
_serial part makes sure that the end result is the
sumMB over the entire transaction. You will pipe the results of this search to more
stats stuff (e.g.
| eval bandwidth=sumMB/durationSeconds | stats ...)