I am trying to run a report that shows the DHCP Leases per Second.  The report I ran (for the last 7 days) shows a max of 3000, but the data appears to be in 30 minute increments.  So, when I divide 3000 by 1800 (60 sec x 30 min) to get seconds, it comes out to be < 2 leases per second.  This seems way too low.  Is there a better way to calculate DHCP Leases per Second?  The specific report I ran is DHCP Message Rate Trend, which is the report our Infoblox support person recommended I run.    Any help would be appreciated.




Sorry but I do not know of any other way Smiley Sad


Dear Joe,

While I do not know your search string, I guess that you are running your search on dhcp_summary index (index=ib_dhcp_summary) which is a summary index updated every 30th minute from 14 through 59 by si-search-dhcp-message .


Please try the below and let me know what you think.

sourcetype=ib:dhcp:message index=ib_dhcp| rex "^[^,]*,(?<PROTO>[46])(,(?<COUNT1>\d+))?(,(?<COUNT2>\d+))?(,(?<COUNT3>\d+))?(,(?<COUNT4>\d+))?(,(?<COUNT5>\d+))?(,(?<COUNT6>\d+))?(,(?<COUNT7>\d+))?(,(?<COUNT8>\d+))?(,(?<COUNT9>\d+))?(,(?<COUNT10>\d+))?(,(?<COUNT11>\d+))?(,(?<COUNT12>\d+))?(,(?<COUNT13>\d+))?(,(?<COUNT14>\d+))?(,(?<COUNT15>\d+))?" | eval Protocol=if(PROTO=="6","IPV6","IPV4") | bucket span=1m _time | stats sum(eval(if(PROTO=="4",COUNT1/60,0))) as v4discover, sum(eval(if(PROTO=="4",COUNT2/60,0))) as v4offer, sum(eval(if(PROTO=="4",COUNT3/60,0))) as v4request, sum(eval(if(PROTO=="4",COUNT5/60,0))) as v4ack by _time   | timechart  bins=1000 avg(v4discover) as DHCPDISCOVER, avg(v4offer) as DHCPOFFER, avg(v4request) as DHCPREQUEST, avg(v4ack) as DHCPACK | interpolate 120

If you are searching data for the past 24 hours, you may want to change the "timechart bins=1000" value to ~10,000 and change it to ~50,000 or more for data as large as past 7 days so that you can get a per minute average.

Best Regards,
Bibin Thomas

