I need to update a summary index with Unique IP counts every 5 mins.
What would be the optimal way to check for unique IP's over say -8m@m to -3m@m (ie 5 min period ending 3 mins ago) that don't occur in a 30min window preceding that.
The basic premise is that any activity within the preceding 30 mins indicates a continuing session while absence indicates a new session (if IP appears within the 5 min window).
I'm sure this is covered somewhere from a standard indexing standpoint, but needing to push it into a summary index every 5 mins means I need to be careful about overlaps etc.
Thanks all 🙂
I'm not sure exactly what you're trying to count? Is it just "IPs that appear in the last 5 minutes that have also not appeared in the prior 30 minutes (or 25 minutes")"? That is, the number of new visits in the most recent 5 minute window?
The simple way of doing this is:
sourcetype=log earliest=-38m@m latest=-3min@m | stats min(_time) as earliest by ip | where earliest < relative_time(now(),"-8m@m") | stats count
A more efficient way, knowing that you are running this every 5 minutes would be to run a search that built and updated a lookup table with the new IPs seen in the last 5 minutes as it went:
sourcetype=log earliest=-8m@m latest=-3m@m | stats min(_time) as earliest by ip | inputlookup append=t recentips | stats min(_time) as earliest by ip | where earliest > relative_time(now(),"-38m@m") | outputlookup recentips
And to get the number for you more recent 5 minute interval (after the other search has run)
| inputlookup recentips | where earliest > -8m@m | stats count