Dashboards & Visualizations

How to display response time from performance.log in a graph?

New Member

Hi,

I am new to Splunk and need some help.

See here below an example of my performance.log:

2016-11-29 17:38:51,966;;;;RTI;/messages;2;log-rest
2016-11-29 17:38:51,911;;messages;service;;;0;log-rest
2016-11-29 17:38:51,880;13cpvmx3bXE/4i0fqgB20H2Zke7vJ41q;sendmyorder;portlet;RT;overView;40;customers
2016-11-29 17:38:51,793;zsFS6vnZoASelCFNv8wH7iiPMV1SmDR2IimbDntp2+MOs2azPOSsFSbXEjmMX6sPNJV63vq6UE3GhQPAGtxd7A==;;;RTI;/wsdl/contact/chain;2;www-api

What I want is to have the url (like messages / wsdl/contact/chain etc) and their response time (2/0/40/2) in a graph.

Is that possible? How to make my search query in that case?

thanks a lot in advance.

Amit

0 Karma
1 Solution

Motivator

If every log line is a single event then a good start might be be to extract the url and response time first and then plot it over a timechart:

your query to return the events
| rex field=_raw "^(?<date_time>[^;]*);(?<token>[^;]*);(?<field3>[^;]*);(?<field4>[^;]*);(?<field5>[^;]*);(?<url>[^;]*);(?<respTime>[^;]*);(?<field8>[\S]*)"
| timechart max(respTime) by url useother=f usenull=f

See the above field extractions in action here

However, since in you dataset the url for second row is null hence you can choose to tweak the query accordingly to avoid such cases. Also I have used the function max(respTime), however depending on your requirement, please replace that to avg(respTime) or min(respTime) etc.

View solution in original post

0 Karma

Motivator

If every log line is a single event then a good start might be be to extract the url and response time first and then plot it over a timechart:

your query to return the events
| rex field=_raw "^(?<date_time>[^;]*);(?<token>[^;]*);(?<field3>[^;]*);(?<field4>[^;]*);(?<field5>[^;]*);(?<url>[^;]*);(?<respTime>[^;]*);(?<field8>[\S]*)"
| timechart max(respTime) by url useother=f usenull=f

See the above field extractions in action here

However, since in you dataset the url for second row is null hence you can choose to tweak the query accordingly to avoid such cases. Also I have used the function max(respTime), however depending on your requirement, please replace that to avg(respTime) or min(respTime) etc.

View solution in original post

0 Karma

New Member

Sorry for delay, but thanks a lot for the response. This helped.

0 Karma