topic Re: 3 Report outputs into one in Splunk Search

3 Report outputs into one

n1ckl0ve — Wed, 30 Sep 2020 05:28:19 GMT

Hi All,

I'm fairly new to Splunk. I'm trying to save some time with an automated report on IIS Time Taken. I need to report on 3 metrics, % of time below 2ms, 4ms and any above 4ms and then output the searches to a single csv.

I've probably gone about this the wrong way but so far I've created 3 separate Searches to 3 different reports. What I'm trying to achieve is for the previous month's logs, Table the above 3 metrics by day, then add days together for a total, working out the % of each metric.

So far this is what I've got which achieves my objective for the Metrics by Day and adds them together I'm not sure how to string them together and wonder if anyone could give me any pointers?

host="" sourcetype=iis AND NOT (".jpg" OR "*.txt") | eval time_taken = time_taken/1000 | search time_taken< "2" | stats count by date | rename count as "Below 2ms"

I've done one search for each of the metrics I'm trying to report on but assume I'm going about it the wrong way.

Re: 3 Report outputs into one

gcusello — Tue, 19 May 2020 12:46:05 GMT

HI @n1ckl0ve,
you have to create a single search tagging the results with the eval command, something like this:

host="*" sourcetype=iis AND NOT (".jpg" OR "*.txt") 
| eval time_taken_milliseconds=time_taken/1000
| eval metric=if(time_taken_milliseconds<2,"Below 2ms",time_taken_milliseconds>4,"More than 4 ms","Between 2-4 ms")
| timechart count by metric

I quick hint: use always index=your_index in your searches to have faster searches.

Ciao.
Giuseppe

Re: 3 Report outputs into one

n1ckl0ve — Tue, 19 May 2020 14:57:03 GMT

Hi @gcusello and thank you for your response.

I've tried several ways to use your suggestion but I keep getting the arguments to the if function are invalid using it as is or by manipulating it in various ways. I've tried to understand the if function by reading Splunk documentation.

is it that the first argument filters the ones below 2ms, does the second argument use what ever wasn't caught by the first argument above 4ms and what's left is the difference between the two?

Thanks again Guiseppe.

Nick

Re: 3 Report outputs into one

n1ckl0ve — Tue, 19 May 2020 15:00:51 GMT

Hi @gcusello and thank you for your response.

is it that the first argument filters the ones below 2ms, does the second argument use what ever wasn't caught by the first argument above 4ms and what's left is the difference between the two?

Thanks again Giuseppe.

Nick

Re: 3 Report outputs into one

gcusello — Tue, 19 May 2020 15:12:23 GMT

HI @n1ckl0ve,
yes exactly.
Sorry there's an horror of mine!

| eval metric=if(time_taken_milliseconds<2,"Below 2ms",if(time_taken_milliseconds>4,"More than 4 ms","Between 2-4 ms"))

You could also use "case" instead "if", but I find easier this way.

Ciao.
Giuseppe

Re: 3 Report outputs into one

n1ckl0ve — Tue, 19 May 2020 15:29:25 GMT

Hi Giuseppe,

That's great thank you for helping with that. That basically works out of the box. I've changed timechart count by metric for timechart span=1d count by metric and that's creating the report perfectly including total count and percentages.

I am very grateful for your time thank you again,
Best regards

Nick