Looking at the results from a popular web analytic site, their definition of "current visitors" seems to be "distinct count over rolling five minutes". I'd like to replicate that in Splunk, but I couldn't find an elegant way to keep a rolling dc for five minute blocks without starting over. You could simply say timechart span=5m dc(clientip) but that's not quite the same thing, as I would like a bar per minute that represents the previous 5 minutes.
I've come up with a query that works, but I'm hoping someone more clever than I can shorten this query a bit. Maybe there's a timechart function I'm missing, or a range function of some sort that would shorten the eval, or a weird use of streamstats:
index=httpd sourcetype=httpd-access
| bucket span=1m _time
| eval t=split( _time + "," + tostring(_time+60) + "," + tostring(_time+120) + "," + tostring(_time+180) + "," + tostring(_time+240) , "," )
| stats dc(clientip) as dc by t
| where t<now()
| eval _time=t
| timechart span=1m max(dc) as dc
Just to step through what it does...
Find the events.
Floor _time of each event to the minute.
Make a multivalued field t with _time and the next four minutes.
Calculate the dc per minute. Since t is multivalued, each event will count towards its minute and the four minutes after it.
Throw away the future minutes created on events in the last minute.
Reset _time to t for the timechart.
Chart it.
... View more