Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

dc rolling over time

vbumgarn
Path Finder
‎04-16-2012 01:11 PM

Looking at the results from a popular web analytic site, their definition of "current visitors" seems to be "distinct count over rolling five minutes". I'd like to replicate that in Splunk, but I couldn't find an elegant way to keep a rolling dc for five minute blocks without starting over. You could simply say timechart span=5m dc(clientip) but that's not quite the same thing, as I would like a bar per minute that represents the previous 5 minutes.

I've come up with a query that works, but I'm hoping someone more clever than I can shorten this query a bit. Maybe there's a timechart function I'm missing, or a range function of some sort that would shorten the eval, or a weird use of streamstats:

  1. index=httpd sourcetype=httpd-access
  2. | bucket span=1m _time
  3. | eval t=split( _time + "," + tostring(_time+60) + "," + tostring(_time+120) + "," + tostring(_time+180) + "," + tostring(_time+240) , "," )
  4. | stats dc(clientip) as dc by t
  5. | where t<now()
  6. | eval _time=t
  7. | timechart span=1m max(dc) as dc

Just to step through what it does...

  1. Find the events.
  2. Floor _time of each event to the minute.
  3. Make a multivalued field t with _time and the next four minutes.
  4. Calculate the dc per minute. Since t is multivalued, each event will count towards its minute and the four minutes after it.
  5. Throw away the future minutes created on events in the last minute.
  6. Reset _time to t for the timechart.
  7. Chart it.
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎04-18-2012 11:28 PM

I think you'll be much happier using streamstats with it's window argument.

index=httpd sourcetype=httpd-access | timechart dc(clientip) as dc span=1m | streamstats avg(dc) as rollingAvg window=5

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats

0 Karma
Reply

vbumgarn
Path Finder
‎04-19-2012 07:25 PM

I don't think that will give the same answer. After the timechart, you have a dc per minute, but you've lost what the dc for groupings of five minutes would have been.

I wonder if this would be more efficient...

index=httpd sourcetype=httpd-access
| timechart span=1m values(clientip) as ips 
| streamstats dc(ips) as dc window=5
| fields - ips
0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...