Thoughts on bucketing

gistfile1.txt

```
T | T+1 | T+2 | T+3 | T+4 
1 |  5  |  6  |  2  |  5  # Number of hits

17 logs in 5 secs = 3.4 logs/s

Ex = Expired

One sec later...

Ex | T+1 | T+2 | T+3 | T+4 | T+5
Ex |  5  |  6  |  2  |  5  |  0  # Number of hits

16 logs in 5 secs = 3.2 logs/s

Another sec later

Ex | Ex | T+2 | T+3 | T+4 | T+5 | T+6
Ex | Ex |  6  |  2  |  5  |  0  |  20 # Number of hits

33 logs in 5 secs = 6.6 logs/s

Say 5 secs without activity

Ex | Ex | T+2 | T+3 | T+4 | T+5 | T+6 | T+7 | T+8 | T+9 | T+10 | T+11
Ex | Ex |  6  |  2  |  5  |  0  |  20 |  0  |  0  |  0  |  0   |  0 

0 logs in 5 secs = 0 logs/s

What is a flood?
- Defined as 200 logs within an hour

Cases that can happen if we use a single bucket for an hour
- 200 logs in the first hr bucket: FLAG
- 100 logs in the last 30 mins of first bucket -> 100 logs in the first 30mins of second bucket: NO FLAG

Cases that can happen if we use 10 min buckets for an hour (6 buckets)
- 100 logs in the first 3 bucket -> 100 logs in the next 3 bucket: FLAG
- 100 logs in the first 3 bucket -> first 3 buckets expired -> 100 logs for the next 3 buckets: NO FLAG
```