Getting Data In

How to get timechart for top responsetime URL

ravir_jbp
Explorer

I am able to get the list of URL with top response time using below query.

index=xyz earliest=-1hr latest=now | rex field=_raw "^(?\d*\.\d*\.\d*\.\d*)\s\[\w.*\]\s(?\d*)\s\"(?\w*)\s(?\S*)\sHTTP\/1.1\"\s(?\d*)\s(?\d*)\"(?\S*)\"\"\w.*\"\s\S*(?web*\d*)\s\S*" | search sourceLBIP="*" responsetime="*" getorpost="*" uri="*" statuscode="*" responsesize="*" refereralURL="*" node="*" | eval responsetime1=responsetime/1000000 | stats count by responsetime1,node, responsesize, uri, _time, statuscode | sort -responsetime1 | head 1 

 

I am trying to modify this query for more detailed information. I am able to get the top 1 URL which has highest response time. But I need the timechart partner to understand the responsetime trend for that speicifc URL for last 1 hour. Also, like to modify the script in a such a way where it sould provide me the timechart trend of any URL (top responsetime) for 1 hour. URL may not be same every time since it may change.

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If I have understood your requirement correctly, you could try something like this

 

index=xyz earliest=-1hr latest=now | rex field=_raw "^(?\d*\.\d*\.\d*\.\d*)\s\[\w.*\]\s(?\d*)\s\"(?\w*)\s(?\S*)\sHTTP\/1.1\"\s(?\d*)\s(?\d*)\"(?\S*)\"\"\w.*\"\s\S*(?web*\d*)\s\S*" | search sourceLBIP="*" responsetime="*" getorpost="*" uri="*" statuscode="*" responsesize="*" refereralURL="*" node="*" | eval responsetime1=responsetime/1000000 
| eventstats max(responsetime) as max_responsetime
| eventstats first(eval(if(responsetime == max_responsetime, uri, null()))) as longest_uri
| where uri=longest_uri
| chart values(responsetime) by _time longest_uri

 

0 Karma

ravir_jbp
Explorer

@ITWhisperer  IT worked !!! thank you so much 

0 Karma

ravir_jbp
Explorer

@ITWhisperer , thank you for sharing the query. Seems "| where url=longest_url" condition is not recognizing. I was looking for timechart which can provide me the response time trend for any top response time consuming. 

For example, if http://xyz.com/report consuming highest response time. I need the trend for last 1 hour trend on the performance on that specific URL. 

Hope that helps

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Typo on my part (updated my response to use uri instead of url)

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...