Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get timechart for top responsetime URL

ravir_jbp
Explorer
‎09-19-2023 02:18 AM

I am able to get the list of URL with top response time using below query.

index=xyz earliest=-1hr latest=now | rex field=_raw "^(?\d*\.\d*\.\d*\.\d*)\s\[\w.*\]\s(?\d*)\s\"(?\w*)\s(?\S*)\sHTTP\/1.1\"\s(?\d*)\s(?\d*)\"(?\S*)\"\"\w.*\"\s\S*(?web*\d*)\s\S*" | search sourceLBIP="*" responsetime="*" getorpost="*" uri="*" statuscode="*" responsesize="*" refereralURL="*" node="*" | eval responsetime1=responsetime/1000000 | stats count by responsetime1,node, responsesize, uri, _time, statuscode | sort -responsetime1 | head 1 

 

I am trying to modify this query for more detailed information. I am able to get the top 1 URL which has highest response time. But I need the timechart partner to understand the responsetime trend for that speicifc URL for last 1 hour. Also, like to modify the script in a such a way where it sould provide me the timechart trend of any URL (top responsetime) for 1 hour. URL may not be same every time since it may change.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 03:15 AM

If I have understood your requirement correctly, you could try something like this

 

index=xyz earliest=-1hr latest=now | rex field=_raw "^(?\d*\.\d*\.\d*\.\d*)\s\[\w.*\]\s(?\d*)\s\"(?\w*)\s(?\S*)\sHTTP\/1.1\"\s(?\d*)\s(?\d*)\"(?\S*)\"\"\w.*\"\s\S*(?web*\d*)\s\S*" | search sourceLBIP="*" responsetime="*" getorpost="*" uri="*" statuscode="*" responsesize="*" refereralURL="*" node="*" | eval responsetime1=responsetime/1000000 
| eventstats max(responsetime) as max_responsetime
| eventstats first(eval(if(responsetime == max_responsetime, uri, null()))) as longest_uri
| where uri=longest_uri
| chart values(responsetime) by _time longest_uri

 

0 Karma
Reply

ravir_jbp
Explorer
‎09-19-2023 06:37 AM

@ITWhisperer  IT worked !!! thank you so much 

0 Karma
Reply

ravir_jbp
Explorer
‎09-19-2023 03:51 AM

@ITWhisperer , thank you for sharing the query. Seems "| where url=longest_url" condition is not recognizing. I was looking for timechart which can provide me the response time trend for any top response time consuming. 

For example, if http://xyz.com/report consuming highest response time. I need the trend for last 1 hour trend on the performance on that specific URL. 

Hope that helps

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 04:25 AM

Typo on my part (updated my response to use uri instead of url)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...