Re: Get response time from webserver access logs

svr2017 · ‎10-02-2017

Hi,

I am trying to get avg response time in a time frame from below web server access logs.

hostname:port 198.x.x.x - - - [29/Sep/2017:15:20:28 +0000] "POST /vendor-service-v2.1/VendorServiceProvider/v2.1.0 HTTP/1.1" 200 0/18688 1205 "-" "SAP NetWeaver Application Server (1.0;731)".

Here in above logs 0/18688 is the response time ( format is %T( time in seconds)/%D( time in micro seconds)).

Any help is much appreciated.
Thanks

HiroshiSatoh · ‎10-03-2017

Try this!

(your search)|rex field=_raw "^.\".\"\s\d*\s(?< response_time>[0-9/])\s.$"

svr2017 · ‎10-04-2017

I tried this, it isn't giving me any results and sorry my question should be to get the avg response time in a given time frame.

inventsekar · ‎10-03-2017

Hi, you just want to extract the "0/18688" thru rex or something else you want
can you post few more webserver access logs samples please..

svr2017 · ‎10-04-2017

yes I want to extract just that and below are more logs.

hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:17 +0000] "POST /manage-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/275844 4581 "-" "IBM WebServices/1.0"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:17 +0000] "POST /manage-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/538517 896 "-" "-"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:17 +0000] "POST /manage-ervice-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/242675 2762 "-" "-"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:18 +0000] "POST /manage-service-v1.1/ManageProvider/v1.1.0 HTTP/1.1" 200 0/16996 1249 "-" "-"- 172.23.176.4 - - - [04/Oct/2017:00:05:18 +0000] "GET /" 200 0/1258 195 "-" "-"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:18 +0000] "POST /manage-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/23896 1701 "-" "SAP NetWeaver Application Server (1.0;731)"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:19 +0000] "POST /manage-credit-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/26037 942 "-" "SAP NetWeaver Application Server (1.0;731)"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:19 +0000] "POST /manage-credit-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/248812 987 "-" "IBM WebServices/1.0"

naming syntax -- (?)

svr2017 · ‎10-04-2017

yes I want to extract just that and below are more logs.

hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:17 +0000] "POST /manage-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/275844 4581 "-" "IBM WebServices/1.0"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:17 +0000] "POST /manage-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/538517 896 "-" "-"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:17 +0000] "POST /manage-ervice-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/242675 2762 "-" "-"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:18 +0000] "POST /manage-service-v1.1/ManageProvider/v1.1.0 HTTP/1.1" 200 0/16996 1249 "-" "-"- 172.23.176.4 - - - [04/Oct/2017:00:05:18 +0000] "GET /" 200 0/1258 195 "-" "-"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:18 +0000] "POST /manage-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/23896 1701 "-" "SAP NetWeaver Application Server (1.0;731)"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:19 +0000] "POST /manage-credit-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/26037 942 "-" "SAP NetWeaver Application Server (1.0;731)"
hostname:port 192.X.X.X - - - [04/Oct/2017:00:05:19 +0000] "POST /manage-credit-service-v2.1/ManageProvider/v2.1.0 HTTP/1.1" 200 0/248812 987 "-" "IBM WebServices/1.0"

naming syntax -- (?)

Get response time from webserver access logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation