Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get timechart for top responsetime URL

ravir_jbp
Explorer
‎09-19-2023 02:18 AM

I am able to get the list of URL with top response time using below query.

index=xyz earliest=-1hr latest=now | rex field=_raw "^(?\d*\.\d*\.\d*\.\d*)\s\[\w.*\]\s(?\d*)\s\"(?\w*)\s(?\S*)\sHTTP\/1.1\"\s(?\d*)\s(?\d*)\"(?\S*)\"\"\w.*\"\s\S*(?web*\d*)\s\S*" | search sourceLBIP="*" responsetime="*" getorpost="*" uri="*" statuscode="*" responsesize="*" refereralURL="*" node="*" | eval responsetime1=responsetime/1000000 | stats count by responsetime1,node, responsesize, uri, _time, statuscode | sort -responsetime1 | head 1 

 

I am trying to modify this query for more detailed information. I am able to get the top 1 URL which has highest response time. But I need the timechart partner to understand the responsetime trend for that speicifc URL for last 1 hour. Also, like to modify the script in a such a way where it sould provide me the timechart trend of any URL (top responsetime) for 1 hour. URL may not be same every time since it may change.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 03:15 AM

If I have understood your requirement correctly, you could try something like this

 

index=xyz earliest=-1hr latest=now | rex field=_raw "^(?\d*\.\d*\.\d*\.\d*)\s\[\w.*\]\s(?\d*)\s\"(?\w*)\s(?\S*)\sHTTP\/1.1\"\s(?\d*)\s(?\d*)\"(?\S*)\"\"\w.*\"\s\S*(?web*\d*)\s\S*" | search sourceLBIP="*" responsetime="*" getorpost="*" uri="*" statuscode="*" responsesize="*" refereralURL="*" node="*" | eval responsetime1=responsetime/1000000 
| eventstats max(responsetime) as max_responsetime
| eventstats first(eval(if(responsetime == max_responsetime, uri, null()))) as longest_uri
| where uri=longest_uri
| chart values(responsetime) by _time longest_uri

 

0 Karma
Reply

ravir_jbp
Explorer
‎09-19-2023 06:37 AM

@ITWhisperer  IT worked !!! thank you so much 

0 Karma
Reply

ravir_jbp
Explorer
‎09-19-2023 03:51 AM

@ITWhisperer , thank you for sharing the query. Seems "| where url=longest_url" condition is not recognizing. I was looking for timechart which can provide me the response time trend for any top response time consuming. 

For example, if http://xyz.com/report consuming highest response time. I need the trend for last 1 hour trend on the performance on that specific URL. 

Hope that helps

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2023 04:25 AM

Typo on my part (updated my response to use uri instead of url)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...