topic Re: Query for times in Splunk Search

Query for times

xvxt006 — Mon, 28 Sep 2020 14:24:50 GMT

Hi,

i would like to count how many uris that have response times greater than the 90th percentile times for response times greater than x secs..Say 30 secs and list them out.

I tried this. But it is not resulting any results
sourcetype="access_combined_wcookie" host=xxxx Time>30 | eventstats perc90(Time) as hightimes by uri_path | where Time>highimes | table uri_path, count, hightimes

Re: Query for times

sideview — Mon, 28 Sep 2020 14:25:04 GMT

I'm pretty sure that the relevant field name in access_combined_wcookie is called req_time, rather than Time. At least, in the default access extractions that ship with Splunk there is no extracted field called Time.

If you run these searches are you getting extracted values for Time? Or only for req_time?

sourcetype="access_combined_wcookie" host=xxxx | table Time req_time

Otherwise you're close. You have one little typo (highimes != hightimes), and if you want a "count" field, you need another stats on the end to roll it up.

Here you go, assuming again that req_time is the field name and not Time.

sourcetype="access_combined_wcookie" host=xxxx req_time>30 | eventstats perc90(req_time) as hightime by uri_path | where req_time>hightime | stats count last(hightime) as hightime by uri_path

Re: Query for times

xvxt006 — Wed, 24 Jul 2013 03:52:58 GMT

Hi Thanks for your reply. Just to be on the same page, i am looking for count of each uri for which response time is greater than the 90th percentile time. You are right, the field name is not time.

Like below.

URI COUNT 90thPercentile
xxxx 10 15.6 secs
yyyy 5 10.23
zzzz 14 9.78

Re: Query for times

xvxt006 — Wed, 24 Jul 2013 03:54:02 GMT

BTw, i tried the modified query but not getting any data

Re: Query for times

xvxt006 — Wed, 24 Jul 2013 04:13:37 GMT

what does it mean by - stats count last(hightime) as hightime. Say if the 90th percentile time is 15.6 secs but there are another 5 instances where the time is greater than 15.6 secs. Does this give count as 5? and also would it show the hightime (90th percentile) as 15.6?

Re: Query for times

sideview — Mon, 28 Sep 2020 14:25:07 GMT

Because of the | where req_time>hightime , the rows coming into that stats clause will only be the rows where the req_time is higher than the 90th percentile value. then the stats clause will give, for each uri_path, count (number of rows higher than 90th percentile) and last(hightime) as hightime (which is just the 90th percentile value).