Hi
With this SPL, I have the average session time of each clientip in a web page.
But I do not know how to put the average bytes_in for each clientip
index=bigip host="F5-BOU-4K-A.entourage.intra"
|eval kb_in= Bytes_In/1024
| transaction session_id
| stats avg(duration) AS Avg_Session_time by Client_IP
Thank you
Hi
You could try this without using transaction command for better performance:
index=bigip host="F5-BOU-4K-A.entourage.intra"
| stats min(_time) AS start max(_time) AS end last(Client_IP) as Client_IP values(Bytes_In) as Bytes_In by session_id
| eval duration=end - start
| eval _time=start
| stats avg(duration) AS Avg_Session_Time avg(bytes_in) as Avg_Bytes_In by Client_IP
| eval kb_in= Bytes_In/1024
Hope it helps
Hi
You could try this without using transaction command for better performance:
index=bigip host="F5-BOU-4K-A.entourage.intra"
| stats min(_time) AS start max(_time) AS end last(Client_IP) as Client_IP values(Bytes_In) as Bytes_In by session_id
| eval duration=end - start
| eval _time=start
| stats avg(duration) AS Avg_Session_Time avg(bytes_in) as Avg_Bytes_In by Client_IP
| eval kb_in= Bytes_In/1024
Hope it helps
Yes, It works.
So, basically it is better to use "plain" SPL rather than commands like: transaction, associate, cluster, etc; to get results faster, right?
Yes. As per the doc for transaction states:
The transaction command is most useful in two specific cases:
When a unique ID (from one or more fields) alone is not sufficient to discriminate between two transactions.
This is the case when the identifier is reused, for example web sessions identified by cookie or client IP. In this case, time spans or pauses are also used to segment the data into transactions. In other cases, when an identifier is reused, for example in DHCP logs, a particular message may identify the beginning or end of a transaction.When it is desirable to see the raw text of the events combined rather than an analysis on the constituent fields of the events.
In other cases, it's usually better to use the stats command, which performs more efficiently, especially in a distributed environment. Often there is a unique ID in the events and stats can be used.