read stochastic -source 'srch_cluster'

Simulate a cluster of search engine hosts. This source is similar to read -source 'cdn', but with defaults that simulate multiple hosts undergoing a denial-of-service attack.`

read stochastic -source 'srch_cluster' source-params read-params

Source parameters

Parameter Description Required?
-every Historic points are downsampled at the specified interval

See Time notation in Juttle for syntax information.

No; default is the same as -max_samples
-max_samples Historic points are downsampled at an interval calculated so that there are no more than int intervals No; default is 1000
-nhosts The number of hosts to simulate No; the default is 5
-pops A list of Point of Presence (PoP) names to use with -nhosts

Host names are generated by assigning numbers to PoPs in a round-robin fashion, such as pop1.1, pop2.2, pop1.3, pop1.4, and so on.

-host_names A list of host names to use, in which case -nhosts is ignored and the number of hosts equals the number of specified host names No; when -nhosts is more than 1, and -host_names is omitted, then host names are randomly generated.
-service_names A list of service names to use, including one or more of the following:
  • search
  • index
  • authentication
No; the default is all three service names
-host_capacities The relative capacities of hosts

Daily CDN demand are divided among them by these proportions.

-daily The scale factor for daily demand wave

A value of n will max out n hosts during peak hours.

-dos The scale of DOS demand load on a host, between 0 and 1. A value of 1 will max out any host it hits. No; the default is 0.7
-dos_dur The average time that an attack spends on a host before moving to another host

Simulation times increase with this number; keep it to seconds or small minutes.

No; defaults to 15 seconds
-dos_id The customer ID of the DOS attacker No; default is 13
-dos_router The method for selecting the next host for the DOS demand. Roundrobin cycles through the host list, each for dos_dur seconds. markov is more interesting. No
-errp The syslog error percentage at peak demand No; defaults to 0.02
-lpm The average number of syslog lines per minute per host No; defaults to 60
-debug "1" to emit additional points with behind-the-scenes information No

Read parameters

Parameter Description Required?
-from Stream points whose time stamps are greater than or equal to the specified moment

See Time notation in Juttle for syntax information.

Required only if -to is not present; defaults to :now:
-to Stream points whose time stamps are less than the specified moment, which is less than or equal to :now:

See Time notation in Juttle for syntax information.

:information_source: Note:To stream live data only, omit -fromand specify -to :end: To combine historical and live data, specify a -fromvalue in the past and -to :end:

Required if -from is not present; defaults to :now:
-last Given a duration, shorthand for -from (:now: - duration) -to :now: No
filter-expression A field comparison, where multiple terms are joined with AND, OR, or NOT

See Filtering for additional details.


Example: Compare response times from the last two minutes to live streaming response times

// Get data from 2 minutes ago and ingest live data and et response_ms metrics from our search demo data

read stochastic -source 'srch_cluster' -from :2 minutes ago: name ='response_ms'
| batch :2 seconds:   // Group into 2 second intervals
| reduce p90 = percentile('value', .9) by service   // Calculate p90 response time
| view timechart
   -valueField 'p90'   // Plot data on a chart
   -keyField 'service'   // Every service should be a line on the chart
   -title 'Response time (ms) by Service'