calculate average response time per application

mehulSinghRatho · ‎08-11-2018

Hi,
I am a bit new to splunk and query language.
In my logs, i am having "application name", "Request Time stamp" and "Response Time stamp".

Using this, I need get average response time for all my applications.
Please guide.
thanks in advance.

acharlieh · ‎08-11-2018

So assuming that all three of those are in the same event, your first step would be to use the eval command to convert the timestamps to epoch time using the strftime() function. You can then take a difference between them to get the duration between the request and the response in seconds. Then you could use stats command to calculate avg(duration) by app.

If however the request time and response time per app appears in different events, then you are likely looking at finagling with the transaction command to stitch the pairs of events together by a request identifier. Assuming your data is being parsed properly and Request time and response time are just _time, transaction would calculate duration for you. Finally stats to get the average by app again.

That's the overall gist, but of course a lot depends on the structure of your data and the field names you have extracted for the details.
(arguably the time between the request and the response is the processing time, as opposed to the time the client started the request to the time the client finished receiving the response.. but again... details)

mehulSinghRatho · ‎08-30-2018

totally agreed on your point.

i tried few thing. and stuck at converting the time using strptime() and splunk specified time Format
My Timestamp in logs is - 2018-08-30T07:47:16.127+01:00

I used the following search-

... | eval n=strptime(timeStr, "%Y-%m-%dT%H:%M:%S.%3N%:z")

acharlieh · ‎08-30-2018

That works fine for me. You can use makeresults and eval to fake results to try things out on. For example:

| makeresults | eval timeStr="2018-08-30T07:47:16.127+01:00" | eval n=strptime(timeStr, "%Y-%m-%dT%H:%M:%S.%3N%:z")

Are you sure your timeStr is being extracted correctly?

mehulSinghRatho · ‎08-11-2018

Hi Acharlieh,

i am able to write a base query, that is providing all 3 fields in a single event(single log). Each event contains following field -
- "applicationName"
- "requestTS"
- "responseTS"

i am looking for average processing time for each applications (i have about 50 application).
("responseTS" - "requestTS") is going to be the processing time for a particular event (for a particular application).
now there could be hundreds of events for each application.

please help me write a query assuming my base query be-

{BASE-QUERY}

acharlieh · ‎08-12-2018

Please read my response more thoroughly, make an attempt at building the query on your own, and ask specific questions in a manner that shows you are attempting to understand the information already given to you. I already gave you not only the methodology for working with data that had those three fields per event, but also links straight to Splunk's documentation on all the commands and functions you will likely have to use.

The people who volunteer their time to on this site are here out of their own personal passion to help others learn about Splunk and learn to help use Splunk better. Right now your comment reads as if you are asking me to do your work for you, which is disrespectful of the time I donated to try to help you learn to solve your problem and future problems like it on your own. If you are not interested in learning but rather just want someone do your work for you, Splunk and many Splunk Partners offer for hire a wide variety of professional services, from Admin on Demand credits, to full blown engagements.

calculate average response time per application

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...