Refine your search:


I am trying to average calculate the time between web log entries. If an IP on the network visits the same URL multiple times in a given time period we want to calculate the average time between visits. I cant really do a transaction (at least I dont think so) because the events are the begin or end.

I have a search that groups the IP's that visit a URL more than once and also grabs the log entries for each time the URL is visited.

The fields in the output are:

Timestamp, Src_IP, URL, Count

Now for the fun part. Once average time is calculated we want to calculate standard deviation.

Any help would be greatly appreciated!

asked 08 Dec '10, 03:32

tradecraft1914's gravatar image

accept rate: 0%

One Answer:

Use streamstats

   | streamstats window=1 global=f current=f
       last(Timestamp) as next_ts
     by Src_IP,URL
   | eval tm_to_next=next_ts-Timestamp
   | stats 
     by Src_IP,URL 

answered 08 Dec '10, 07:07

gkanapathy's gravatar image

gkanapathy ♦
accept rate: 41%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 08 Dec '10, 03:32

Seen: 2,887 times

Last updated: 08 Dec '10, 07:07

Copyright © 2005-2014 Splunk Inc. All rights reserved.