Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

dc rolling over time

vbumgarn
Path Finder
‎04-16-2012 01:11 PM

Looking at the results from a popular web analytic site, their definition of "current visitors" seems to be "distinct count over rolling five minutes". I'd like to replicate that in Splunk, but I couldn't find an elegant way to keep a rolling dc for five minute blocks without starting over. You could simply say timechart span=5m dc(clientip) but that's not quite the same thing, as I would like a bar per minute that represents the previous 5 minutes.

I've come up with a query that works, but I'm hoping someone more clever than I can shorten this query a bit. Maybe there's a timechart function I'm missing, or a range function of some sort that would shorten the eval, or a weird use of streamstats:

  1. index=httpd sourcetype=httpd-access
  2. | bucket span=1m _time
  3. | eval t=split( _time + "," + tostring(_time+60) + "," + tostring(_time+120) + "," + tostring(_time+180) + "," + tostring(_time+240) , "," )
  4. | stats dc(clientip) as dc by t
  5. | where t<now()
  6. | eval _time=t
  7. | timechart span=1m max(dc) as dc

Just to step through what it does...

  1. Find the events.
  2. Floor _time of each event to the minute.
  3. Make a multivalued field t with _time and the next four minutes.
  4. Calculate the dc per minute. Since t is multivalued, each event will count towards its minute and the four minutes after it.
  5. Throw away the future minutes created on events in the last minute.
  6. Reset _time to t for the timechart.
  7. Chart it.
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎04-18-2012 11:28 PM

I think you'll be much happier using streamstats with it's window argument.

index=httpd sourcetype=httpd-access | timechart dc(clientip) as dc span=1m | streamstats avg(dc) as rollingAvg window=5

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats

0 Karma
Reply

vbumgarn
Path Finder
‎04-19-2012 07:25 PM

I don't think that will give the same answer. After the timechart, you have a dc per minute, but you've lost what the dc for groupings of five minutes would have been.

I wonder if this would be more efficient...

index=httpd sourcetype=httpd-access
| timechart span=1m values(clientip) as ips 
| streamstats dc(ips) as dc window=5
| fields - ips
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...