https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353526#M104634 <P>New to Splunk and am having trouble writing a search that would tell me how many IIS transactions have hit a single server over one month with one minute granularity. I would also like this to be "visualized" with the average response time. </P> Wed, 14 Jun 2017 19:02:26 GMT Curman 2017-06-14T19:02:26Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353526#M104634 <P>New to Splunk and am having trouble writing a search that would tell me how many IIS transactions have hit a single server over one month with one minute granularity. I would also like this to be "visualized" with the average response time. </P> Wed, 14 Jun 2017 19:02:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353526#M104634 Curman 2017-06-14T19:02:26Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353527#M104635 <P>Show a few sample events.</P> Wed, 14 Jun 2017 19:22:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353527#M104635 woodcock 2017-06-14T19:22:06Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353528#M104636 <P>OK, great. Can you help us with a bit more information? </P> <P>1) You do have the events coming into Splunk already?<BR /> 2) And you can find them in a search?<BR /> 3) Your issue is really how to transform those raw events into that particular search/report?</P> <P>If that's all true, then..</P> <P>4) Are the events parsed into fields properly (e.g. is the sourcetype set right, so that if you run a search in "Verbose" mode you can see fields like <CODE>c_ip</CODE> and <CODE>time_taken</CODE> ) ?</P> <P>Lastly, then, what do you mean by ...</P> <P>5) How would you define an "IIS transaction?"<BR /><BR /> 6) How does that interact with "time_taken"?<BR /> 7) 1 minute stats over 30 days is ~45,000 points. Can you display that? I can't.</P> <P>It's possible something as simple as </P> <PRE><CODE>sourcetype=iis | bin span=1m _time | stats avg(time_taken) by _time </CODE></PRE> <P>and switching to your Visualization tab and playing with some things in there. Indeed, try the above search over the past 4 hours or so and tell me what it gets you...</P> <P>If that actually works for your needs, I'll move this to an answer and we'll be done. But I think you'll have an answer in here that either a) says we need a bit more work or b) need to redefine the problem.</P> <P>Happy Splunking!<BR /> -Rich</P> Thu, 15 Jun 2017 00:01:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353528#M104636 Richfez 2017-06-15T00:01:23Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353529#M104637 <P>Thank You but I don't think I can post examples from our logs without heavily editing them </P> Wed, 21 Jun 2017 20:26:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353529#M104637 Curman 2017-06-21T20:26:46Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353530#M104638 <P>Thank you, this has given me the start that I needed to achieve what I'm looking for.</P> Wed, 21 Jun 2017 20:27:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-an-IIS-search-for-how-many-transactions-have-hit/m-p/353530#M104638 Curman 2017-06-21T20:27:24Z