I am attempting to count the number of times a user has made a web server 'hit', and also display the average latency of that/those users.
Search Query:
sourcetype=www NOT hck=* user=< user > | stats avg(time_taken) as "latency(1s)" | stats count(user) by latency(1s)
I can't seem to get the fields to come out right, either I get just the latency, or the count and the latency without the user.
should work,
sourcetype=www NOT hck=* user=< user > | eventstats avg(time_taken) as latency | stats count(user) by latency | rename latency as "latency (1s)"
UPDATE:
perhaps this is what you're after:
sourcetype=www NOT hck=* user=* | stats count as hits, avg(time_taken) as "latency(1s)" by user
/k
should work,
sourcetype=www NOT hck=* user=< user > | eventstats avg(time_taken) as latency | stats count(user) by latency | rename latency as "latency (1s)"
UPDATE:
perhaps this is what you're after:
sourcetype=www NOT hck=* user=* | stats count as hits, avg(time_taken) as "latency(1s)" by user
/k
Actually I just tweeked this a little bit, but you were pretty much spot on. Here is the final search:
sourcetype=www NOT hck=* | eval user=user."@".domain | stats count as hits, avg(time_taken) as "avg latency(1s)" by user | sort - "avg latency(1s)"
Or wait. That does not seem right. What do you really want? Provide sample events and sketch of desired output, please