I am looking for a way to identify the start and end of a burst of events that has hundreds of thousands of events in each burst. I don't need the individual events themselves. This sounds like a perfect use for stats, except, multiple bursts can happen during the search period, and I need the start and end times of each burst.
For example, I may run a search over the past 24 hours, and during that time, there may be three or four bursts.
I can assume if there is a gap of 5 minutes or more, the burst has ended. Any given burst may last for minutes or an hour or so.
I have tried using a transaction with maxpause=5m and maxopenevents=100000, but the huge number of events is causing problems.
The events are all similar with no identifiers I could use to filter out everything but the start and end events (that would have simplified this!)
Thanks for your thoughts!
Mr Paul
↧