Excited to post my first Splunk question.
I want to perform statistical analysis on API response time that I get from our app server log.
The log format is:
timestamp1 API=<api1> ResponseTime=<R1>
timestamp2 API=<api2> ResponseTime=<R2>
timestamp3 API=<api3> ResponseTime=<R3>
timestamp1 API=<api1> ResponseTime=<R4>
..
..
For a week of data I want to plot the histogram of the hourly average of ResponseTime for api1.
I did the following query:
index=<index> api1|bucket _time span=1h|stats avg(ResponseTime) by _time
Now how do I take the result of the above query and build a histogram?
I did the following:
index=<index> api1|bucket _time span=1h|stats avg(ResponseTime) by _time as X|stats count(X)
But this query seems to be wrong.
Could you please recommend the correct query?
Hi ngatchasandra,
It is not resulting in a series of values to plot a histogram. It is returning a single number(count).
What I am looking for is a frequency chart of hoourly average values .
I did the following:
index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)
It is indeed giving a set of values for the average. Now, how in the search I do a frequency chart of these values?
Looks like it is working!. Just added bins=100 to your query.
index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)|chart count by values(x) bins=100
Please, you did not give me points . Perhaps it is to you even you have to give the points. Can you correct it?
Hi ngatchasandra,
It is not resulting in a series of values to plot a histogram. It is returning a single number(count).
What I am looking for is a frequency chart of hoourly average values .
I did the following:
index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)
It is indeed giving a set of values for the average. Now, how in the search I do a frequency chart of these values?
Yes, try with index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)|chart count by values(x)
Hi oldtester,
Try with index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats count(X) by _time
Try now with index= api1|bucket _time span=1h|stats avg(ResponseTime) by _time |rename avg(ResponseTime) as X|stats values(X)|chart count by values(x)