Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get average page size from access logs

xvxt006
Contributor
‎12-06-2012 07:01 AM

Hi, From the access logs, i am getting the commands (part of URI) and their execution count in a tabular format. I want to add average page size to it. I am able to extract the page size individually by adding a field. But how can i include it in the same query so that i can get all stats with same query.

Current query

sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | top limit=5000 command

For example, right now i have the output looks like this.

Command Count Percentage
Search 14000 8%
Home 7000 4%

I would like to have the output like this

Command Count Percentage AvgPageSize
Search 14000 8% 60k
Home 7000 4% 50k

How can i do this? Any help is appreciated 🙂

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-06-2012 08:04 AM

I think you will be wanting appendcols command. The problem is that you have to different operations you want (top and stats). It makes the search longer, and runs 2 searches, but with different styles of data stats. Try this:

sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | top limit=5000 command | appendcols [search sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | stats avg(PageSize) as AvgPageSize by command]

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Appendcols

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-06-2012 08:04 AM

I think you will be wanting appendcols command. The problem is that you have to different operations you want (top and stats). It makes the search longer, and runs 2 searches, but with different styles of data stats. Try this:

sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | top limit=5000 command | appendcols [search sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | stats avg(PageSize) as AvgPageSize by command]

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Appendcols

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎12-06-2012 09:00 AM

Hi, when i try to drill down, i am getting this message "PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'appendcols' command". any idea why we would get this?

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎12-06-2012 08:42 AM

Awesome. I am getting the results on the first look they are looking good. Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-06-2012 07:05 AM

If you use the stats command, you can just add this:

... | stats count,avg(PageSize) as AvgPageSize by command

(assuming you have the page size extracted to a field called "PageSize")

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-06-2012 08:34 AM

Yeah you can't use both. The caveat with not using the top command is that you won't get the percent field. There are ways of calculating it with stats as well, though it's a bit more work than with top. Do you want the percent field?

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎12-06-2012 07:47 AM

Thanks Ayn. if i have both stats and top, results are not looking right. If i took out top, i don't see percentage for the commands. Any suggestions?

| stats count, avg(PageSize) as AvgPageSize by command | top limit=5000 command

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...