Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get timechart for top responsetime URL

ravir_jbp
Explorer
‎09-19-2023 02:18 AM

I am able to get the list of URL with top response time using below query.

index=xyz earliest=-1hr latest=now | rex field=_raw "^(?\d*\.\d*\.\d*\.\d*)\s\[\w.*\]\s(?\d*)\s\"(?\w*)\s(?\S*)\sHTTP\/1.1\"\s(?\d*)\s(?\d*)\"(?\S*)\"\"\w.*\"\s\S*(?web*\d*)\s\S*" | search sourceLBIP="*" responsetime="*" getorpost="*" uri="*" statuscode="*" responsesize="*" refereralURL="*" node="*" | eval responsetime1=responsetime/1000000 | stats count by responsetime1,node, responsesize, uri, _time, statuscode | sort -responsetime1 | head 1 

 

I am trying to modify this query for more detailed information. I am able to get the top 1 URL which has highest response time. But I need the timechart partner to understand the responsetime trend for that speicifc URL for last 1 hour. Also, like to modify the script in a such a way where it sould provide me the timechart trend of any URL (top responsetime) for 1 hour. URL may not be same every time since it may change.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 03:15 AM

If I have understood your requirement correctly, you could try something like this

 

index=xyz earliest=-1hr latest=now | rex field=_raw "^(?\d*\.\d*\.\d*\.\d*)\s\[\w.*\]\s(?\d*)\s\"(?\w*)\s(?\S*)\sHTTP\/1.1\"\s(?\d*)\s(?\d*)\"(?\S*)\"\"\w.*\"\s\S*(?web*\d*)\s\S*" | search sourceLBIP="*" responsetime="*" getorpost="*" uri="*" statuscode="*" responsesize="*" refereralURL="*" node="*" | eval responsetime1=responsetime/1000000 
| eventstats max(responsetime) as max_responsetime
| eventstats first(eval(if(responsetime == max_responsetime, uri, null()))) as longest_uri
| where uri=longest_uri
| chart values(responsetime) by _time longest_uri

 

0 Karma
Reply

ravir_jbp
Explorer
‎09-19-2023 06:37 AM

@ITWhisperer  IT worked !!! thank you so much 

0 Karma
Reply

ravir_jbp
Explorer
‎09-19-2023 03:51 AM

@ITWhisperer , thank you for sharing the query. Seems "| where url=longest_url" condition is not recognizing. I was looking for timechart which can provide me the response time trend for any top response time consuming. 

For example, if http://xyz.com/report consuming highest response time. I need the trend for last 1 hour trend on the performance on that specific URL. 

Hope that helps

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 04:25 AM

Typo on my part (updated my response to use uri instead of url)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...