Splunk Customized Query to set average
data on response time
of my url
& my expected format of query is like below :
index=linux(status!=200) (hoster="*.com")
| eval startdate = date
| eval enddate=date
| eval avgInLast7Days
| eval avgInLast24Hrs
| eval stirng= url_path
|stats count(_raw) as Cnt by stirng
| sort -Cnt
Please help to have this query .
Maybe like this (assuming that there is a field called response_time
in your events):
index=linux(status!=200) (hoster="*.com") earliest=-7d@d latest=now
| timechart span=1d avg(response_time) AS response_time BY url_path
| multireport
[ | head 1 | eval _time="THIS IS THE AVERAGE FOR THE LAST DAY" ]
[ | stats avg(*) AS * | eval _time="THIS IS THE 7-DAY AVERAGE OF DAILY AVERAGES" ]
I am not getting anything on "THIS IS THE AVERAGE FOR THE LAST DAY" filed comumn.
do you have a field called response_time
and one called url_path
? Both are required.
Your query doesn't seem to have anything to do with "average response time".
1) That stats
command is going to get you the count, that's it.
2) Your evals
have no code to calculate or assign anything.
Here's pseudocode for two different ways of doing this, depending on whether there is a single record with the response time already calculated, or whether you need to calculate the _time
difference between two records.
Use this if you have all the info you need to calculate response time on each event record.
(your search that selects the records you want)
| eval resptime=(your code that calculates the response time)
| stats avg(resptime) by url_path
Use this if you need to find the difference between two records to calculate the response time, and if there is a single key field (such as session ID or request ID) that tells you which starting and ending events belong together.
(your search that selects the records you want)
| eval matchkey = case(if it is a start record, the key field from the start record,
if it is an end record, the key from the end record)
| stats min(_time) as _time range(_time) as resptime values(url_path) as url_path by matchkey
| stats avg(resptime) by url_path
In each of the above cases, for information about how the response time is changing across time, you could replace the final stats command with
| bin _time span=5m
| stats avg(resptime) by _time url_path
or with
| timechart span=5m avg(resptime) by url_path
Thanks !
1. I need to have a time formart like ddmmyyyy to set start & end date on my report.
2. URL without query string and without VINs etc format
can you please share your log data sample.