Splunk Customized Query to set
average data on
response time of my
url & my expected format of query is like below :
index=linux(status!=200) (hoster="*.com") | eval startdate = date | eval enddate=date | eval avgInLast7Days | eval avgInLast24Hrs | eval stirng= url_path |stats count(_raw) as Cnt by stirng | sort -Cnt
Please help to have this query .
Your query doesn't seem to have anything to do with "average response time".
stats command is going to get you the count, that's it.
evals have no code to calculate or assign anything.
Here's pseudocode for two different ways of doing this, depending on whether there is a single record with the response time already calculated, or whether you need to calculate the
_time difference between two records.
Use this if you have all the info you need to calculate response time on each event record.
(your search that selects the records you want) | eval resptime=(your code that calculates the response time) | stats avg(resptime) by url_path
Use this if you need to find the difference between two records to calculate the response time, and if there is a single key field (such as session ID or request ID) that tells you which starting and ending events belong together.
(your search that selects the records you want) | eval matchkey = case(if it is a start record, the key field from the start record, if it is an end record, the key from the end record) | stats min(_time) as _time range(_time) as resptime values(url_path) as url_path by matchkey | stats avg(resptime) by url_path
In each of the above cases, for information about how the response time is changing across time, you could replace the final stats command with
| bin _time span=5m | stats avg(resptime) by _time url_path
| timechart span=5m avg(resptime) by url_path
1. I need to have a time formart like ddmmyyyy to set start & end date on my report.
2. URL without query string and without VINs etc format
Maybe like this (assuming that there is a field called
response_time in your events):
index=linux(status!=200) (hoster="*.com") earliest=-7d@d latest=now | timechart span=1d avg(response_time) AS response_time BY url_path | multireport [ | head 1 | eval _time="THIS IS THE AVERAGE FOR THE LAST DAY" ] [ | stats avg(*) AS * | eval _time="THIS IS THE 7-DAY AVERAGE OF DAILY AVERAGES" ]
I am not getting anything on "THIS IS THE AVERAGE FOR THE LAST DAY" filed comumn.