Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the AVG of bytes_in per clientip?

rosho
Communicator
‎07-23-2019 02:13 PM

Hi

With this SPL, I have the average session time of each clientip in a web page.
But I do not know how to put the average bytes_in for each clientip

index=bigip host="F5-BOU-4K-A.entourage.intra"
|eval kb_in= Bytes_In/1024
| transaction session_id
| stats avg(duration) AS Avg_Session_time by Client_IP

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jaime_ramirez
Communicator
‎07-23-2019 03:41 PM

Hi

You could try this without using transaction command for better performance:

index=bigip host="F5-BOU-4K-A.entourage.intra"
| stats min(_time) AS start max(_time) AS end last(Client_IP) as Client_IP values(Bytes_In) as Bytes_In by session_id 
| eval duration=end - start 
| eval _time=start 
| stats avg(duration) AS Avg_Session_Time avg(bytes_in) as Avg_Bytes_In by Client_IP
| eval kb_in= Bytes_In/1024

Hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

jaime_ramirez
Communicator
‎07-23-2019 03:41 PM

Hi

You could try this without using transaction command for better performance:

index=bigip host="F5-BOU-4K-A.entourage.intra"
| stats min(_time) AS start max(_time) AS end last(Client_IP) as Client_IP values(Bytes_In) as Bytes_In by session_id 
| eval duration=end - start 
| eval _time=start 
| stats avg(duration) AS Avg_Session_Time avg(bytes_in) as Avg_Bytes_In by Client_IP
| eval kb_in= Bytes_In/1024

Hope it helps

Reply
Solved! Jump to solution

rosho
Communicator
‎07-24-2019 06:35 AM

Yes, It works.
So, basically it is better to use "plain" SPL rather than commands like: transaction, associate, cluster, etc; to get results faster, right?

0 Karma
Reply
Solved! Jump to solution

jaime_ramirez
Communicator
‎07-24-2019 08:35 AM

Yes. As per the doc for transaction states:

The transaction command is most useful in two specific cases:

  1. When a unique ID (from one or more fields) alone is not sufficient to discriminate between two transactions.
    This is the case when the identifier is reused, for example web sessions identified by cookie or client IP. In this case, time spans or pauses are also used to segment the data into transactions. In other cases, when an identifier is reused, for example in DHCP logs, a particular message may identify the beginning or end of a transaction.

  2. When it is desirable to see the raw text of the events combined rather than an analysis on the constituent fields of the events.

In other cases, it's usually better to use the stats command, which performs more efficiently, especially in a distributed environment. Often there is a unique ID in the events and stats can be used.

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...