I'm looking at behavior of a service which consumes messages about products, the unifying factor being a field called UPC. In theory there should just be a single message sent across per UPC, but I know this is often not the case and regularly see up to 20 messages per UPC come across.
I'm not concerned with individual UPCs here, but with aggregate data: what's the average number of messages per UPC over the 50000 UPCs we saw come through? The median? The maximum?
I can get these with the `transaction` command:
**sourcetype=blahblah | transaction UPC_CODE | timechart span=1m max(eventcount),median(eventcount),avg(eventcount)**
But this is really slow and I can't help but think there is a more efficient way to do this.
↧