topic Re: Count of API calls over X time_taken, only if average time_taken is over a threshold in Splunk Search

Count of API calls over X time_taken, only if average time_taken is over a threshold

pzhou07920 — Tue, 29 Sep 2020 17:35:40 GMT

Hi,

I currently have a query that returns the a chart of API's whose calls average over a specific time limit (unique per API). I would then like to be able to display the count of calls over X seconds time_taken ONLY if that API had an average time_taken over X seconds.

Would I be correct in thinking that I should make my first search a sub search and then search on that to find the counts of timed out APIs?

Here is my current search for the APIs with average time_taken over a limit.

Re: Count of API calls over X time_taken, only if average time_taken is over a threshold

micahkemp — Tue, 09 Jan 2018 16:10:22 GMT

You should be able to just add count to your stats command.

index=mykplan_main cs_uri_stem="AAA" OR cs_uri_stem="BBB" 
| eval URI=cs_uri_stem 
| eval URI = lower(URI) 
| stats avg(eval(time_taken*.001)) as avg_duration, count by URI 
| eval avg_duration=round(avg_duration,2) 
| eval alert=if((avg_duration > 3 AND URI="AAA") OR (avg_duration > 1 AND URI="BBB") ,"alert", "ignore") 
| where alert="alert" 
| fields - alert

Re: Count of API calls over X time_taken, only if average time_taken is over a threshold

somesoni2 — Tue, 29 Sep 2020 17:31:26 GMT

How about this? YOu're already fetching avg time for a URI. You can just then get the count based on avg_duration as you're already filtering for avg_duration>threshold.

index=mykplan_main cs_uri_stem="AAA" OR cs_uri_stem="BBB" 
| eval URI=cs_uri_stem 
| eval URI = lower(URI) 
| stats avg(eval(time_taken*.001)) as avg_duration by URI 
| eval avg_duration=round(avg_duration,2) 
| eval alert=if((avg_duration > 3 AND URI="AAA") OR (avg_duration > 1 AND URI="BBB") ,"alert", "ignore") 
| where alert="alert" 
| chart count by avg_duration

Re: Count of API calls over X time_taken, only if average time_taken is over a threshold

pzhou07920 — Tue, 09 Jan 2018 17:04:46 GMT

Doing this only returns a count of 1 for every result, I think it counts the avg duration or something. I preferably want to only get the count of API calls over the same avg_duration threshold I used but total count of events by URI should be okay too.

Re: Count of API calls over X time_taken, only if average time_taken is over a threshold

rekhan — Mon, 09 Nov 2020 10:32:22 GMT

Hi ,

I am new to Splunk... We are pulling our logs from cloudwatch into splunk.

I want to create a dashboard to show the number of API calls by response - 2xx, 4xx and 5xx.

Basically I want to count the numbers of alerts for each response type for the API call.

Can you please help.