I am trying to average calculate the time between web log entries. If an IP on the network visits the same URL multiple times in a given time period we want to calculate the average time between visits. I cant really do a transaction (at least I dont think so) because the events are the same..no begin or end.
I have a search that groups the IP's that visit a URL more than once and also grabs the log entries for each time the URL is visited.
The fields in the output are:
Timestamp, Src_IP, URL, Count
Now for the fun part. Once average time is calculated we want to calculate standard deviation.
Any help would be greatly appreciated!
Use streamstats
sourcetype=myweblog
| streamstats window=1 global=f current=f
last(Timestamp) as next_ts
by Src_IP,URL
| eval tm_to_next=next_ts-Timestamp
| stats
avg(tm_to_next)
stdev(tm_to_next)
by Src_IP,URL