Aggregating an aggregated message
Did a bit of searching and didn't find a good answer, and I'm not really sure if there is one, but I figured I might as well ask.
Basically, I'm trying to combine two queries into a single aggregate. My messages from the load balancer look like this:
2015-05-05T14:00:22.154824Z LBNAME 255.255.255.255:0000 255.255.255.255:80 0.000061 0.198259 0.000135 200 200 0 11881 "GET http://www.DOMAIN.TLD:80/path/to/foo HTTP/1.1"
I've figured out how to extract the total data sent per domain with something like:
_sourceCategory=SOURCE*
| parse ":80 * * * * * * * \"GET http://*:80" as a,b,c,d,e,recv,sent,domain
| sum(sent) as total_sent by domain
| sort by total_sent
And get the total number of requests per domain with something like:
_sourceCategory=SOURCE*
| parse ":80 * * * * * * * \"GET http://*:80" as a,b,c,d,e,recv,sent,domain
| count by domain
| fields domain,_count
| sort by _count desc
Is there any way I could combine the two to get an aggregate result of TOTAL_SENT divided by the TOTAL_REQUESTS to get an average data per request?
-
Hi Mike,
You can tie two aggregate operators together by designating a comma in between them, also order of operation matters. For your example here are a couple options.
If you'd like to be able to plot the average data per request over time (for plotting on a line graph) use this syntax:
_sourceCategory=SOURCE*
| parse ":80 * * * * * * * \"GET http://*:80" as a,b,c,d,e,recv,sent,domain| timeslice by 1m
| count as total_requests , sum(sent) as total_sent by _timeslice
| total_sent / total_requests as avg_sent_per_requestfeel free to adjust the timeslice size based on your overall timewindow for the search.
If you want to just get one overall avg value you can use this syntax:
_sourceCategory=SOURCE*
| parse ":80 * * * * * * * \"GET http://*:80" as a,b,c,d,e,recv,sent,domain
| count as total_requests, sum(sent) as total_sent
| total_request / total_sent as avg_sent_per_requestHope that helps!
Please sign in to leave a comment.
Comments
1 comment