I need to determine peek bandwidth from IIS logs. The logs have both the amount of bytes sent and the time taken (in milliseconds). I believe I need to setup a timechart, and then apply one event to multiple timespans within the timechart. Each timespan should sum the bytes sent divided by the number of timespans the event covers. For example, if a request took 3 minutes to transfer, and the timespan is 1 minute, then this event would add 1 minute to three consecutive timespans.
I cannot determine how to do this from the documentation. Any suggestions appreciated.
UPDATE
I just discovered multivalue expansion and the ability to create your own search commands. I'm considering creating a new streaming command that takes three parameters: original value, divisor and seed. So if I have 5 as the value, 1 as the divisor and 3 as the seed, it will return a new field with '3,4,5,6,7.' Then I can use mvexpand to create multiple events based upon the returned field. In the real scenario, this would be the duration, span and time from the IIS log file, so that it returns a series of times as a multivalue. After expanding them into multiple events, I could simply use timechart.
Any thoughts appreciated--or help writing the command. 😉
... View more