Dear experts
I must confess this post and question is not properly defined. It's more a chance to pick your brains regarding investigating bandwidth usage.
We have a bunch of servers grouped by IDs. They're named as WEBXX-YY, where XX is the cluster id and YY is the node id. Each cluster serves its own application and the load is distributed between the different nodes.
My task is to investigate which application is using the most bandwidth. I ran this search to check which application uses the most bandwidth:
index=webfront sourcetype=iis host WEB* | eval hostname = split(host, "-") | eval hostname = mvindex(hostname,0) | eval sumMB = ((cs_bytes*8)/(1024*1024) + (sc_bytes*8)/(1024*1024)) | timechart span=1m per_second(sumMB) by hostname
But since the clusters have different amounts of clients it's not a fair comparison so my though was to find the average bandwidth per transaction per application. Defining transaction by c_ip and maxpause=1s, is there a way of measuring the average bandwidth per transaction per cluster?
The result table would be:
"average per_second(sumMB) per transaction", cluster
I would like to present this with a timechart.
Hope the question is somewhat clear?
Suggestions regarding alternative approaches is most welcome!
Kind regards,
Patrik
Maybe like this (will surely need adjusting, but it should get you started):
... | transaction c_ip maxpause=1s | eval serial=_serial | stats first(duration) AS durationSeconds sum(eval(((cs_bytes*8)/(1024*1024) + (sc_bytes*8)/(1024*1024)))) AS sumMB BY c_ip serial
The _serial
part makes sure that the end result is the sumMB
over the entire transaction. You will pipe the results of this search to more stats
stuff (e.g. | eval bandwidth=sumMB/durationSeconds | stats ...
)
This can easily be done if you have fields defined for transactionID
(or something that allows us to generate one) and application
; do you?
Thank you for your answer!
I was more thinking to use
transaction c_ip maxpause=1s
to identify individual page loads.
Will that work?
/Patrik
Yes, that seems reasonable, given that there are no correlating fields that can be used to link the events.
Thanks for your answer! Do you have any idea on how to calculate the average bandwidth per transaction per host?
Do all transactions start with the same event and can that event be identified by a field value or string inside the event?
Thanks for your answer. My intention is to make each user click/page load a transaction. So for instance if the user access /index.html that in turn refers to style.css, script.js there will be three requests:
index.html
style.css
script.js
These IIS log file entries would be considered as one transaction. Then if the user waits for more than one second before the next click it'd be considered as a new transaction.