Archive
Highlighted

Can you help me fix my query which finds the average response time of my URL?

New Member

Splunk Customized Query to set average data on response time of my url & my expected format of query is like below :

index=linux(status!=200) (hoster="*.com")
| eval startdate = date 
| eval enddate=date
| eval avgInLast7Days
| eval avgInLast24Hrs
| eval stirng= url_path
|stats count(_raw) as Cnt by stirng
| sort -Cnt

Please help to have this query .

Tags (1)
0 Karma
Highlighted

Re: Can you help me fix my query which finds the average response time of my URL?

Influencer

can you please share your log data sample.

0 Karma
Highlighted

Re: Can you help me fix my query which finds the average response time of my URL?

SplunkTrust
SplunkTrust

Your query doesn't seem to have anything to do with "average response time".

1) That stats command is going to get you the count, that's it.

2) Your evals have no code to calculate or assign anything.

Here's pseudocode for two different ways of doing this, depending on whether there is a single record with the response time already calculated, or whether you need to calculate the _time difference between two records.

Use this if you have all the info you need to calculate response time on each event record.

  (your search that selects the records you want)
 | eval resptime=(your code that calculates the response time)
 | stats avg(resptime) by url_path

Use this if you need to find the difference between two records to calculate the response time, and if there is a single key field (such as session ID or request ID) that tells you which starting and ending events belong together.

  (your search that selects the records you want)
 | eval matchkey = case(if it is a start record, the key field from the start record, 
                                          if it is an end record, the key from the end record)
 | stats min(_time) as _time range(_time) as resptime values(url_path) as url_path by matchkey
 | stats avg(resptime) by url_path

In each of the above cases, for information about how the response time is changing across time, you could replace the final stats command with

 |  bin _time span=5m
 | stats avg(resptime) by _time url_path 

or with

 | timechart span=5m avg(resptime) by url_path
0 Karma
Highlighted

Re: Can you help me fix my query which finds the average response time of my URL?

New Member

Thanks !
1. I need to have a time formart like ddmmyyyy to set start & end date on my report.
2. URL without query string and without VINs etc format

0 Karma
Highlighted

Re: Can you help me fix my query which finds the average response time of my URL?

Esteemed Legend

Maybe like this (assuming that there is a field called response_time in your events):

index=linux(status!=200) (hoster="*.com") earliest=-7d@d latest=now
| timechart span=1d avg(response_time) AS response_time BY url_path
| multireport
[ | head 1 | eval _time="THIS IS THE AVERAGE FOR THE LAST DAY" ]
[ | stats avg(*) AS * | eval _time="THIS IS THE 7-DAY AVERAGE OF DAILY AVERAGES" ]
0 Karma
Highlighted

Re: Can you help me fix my query which finds the average response time of my URL?

New Member

O/P

I am not getting anything on "THIS IS THE AVERAGE FOR THE LAST DAY" filed comumn.

Can you please check this ?

0 Karma
Highlighted

Re: Can you help me fix my query which finds the average response time of my URL?

Esteemed Legend

do you have a field called response_time and one called url_path? Both are required.

0 Karma