Installation

Can you help me fix my query which finds the average response time of my URL?

satyajitjem
New Member

Splunk Customized Query to set average data on response time of my url & my expected format of query is like below :

index=linux(status!=200) (hoster="*.com")
| eval startdate = date 
| eval enddate=date
| eval avgInLast7Days
| eval avgInLast24Hrs
| eval stirng= url_path
|stats count(_raw) as Cnt by stirng
| sort -Cnt

Please help to have this query .

Tags (1)
0 Karma

woodcock
Esteemed Legend

Maybe like this (assuming that there is a field called response_time in your events):

index=linux(status!=200) (hoster="*.com") earliest=-7d@d latest=now
| timechart span=1d avg(response_time) AS response_time BY url_path
| multireport
[ | head 1 | eval _time="THIS IS THE AVERAGE FOR THE LAST DAY" ]
[ | stats avg(*) AS * | eval _time="THIS IS THE 7-DAY AVERAGE OF DAILY AVERAGES" ]
0 Karma

satyajitjem
New Member

O/P

I am not getting anything on "THIS IS THE AVERAGE FOR THE LAST DAY" filed comumn.

Can you please check this ?

0 Karma

woodcock
Esteemed Legend

do you have a field called response_time and one called url_path? Both are required.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Your query doesn't seem to have anything to do with "average response time".

1) That stats command is going to get you the count, that's it.

2) Your evals have no code to calculate or assign anything.

Here's pseudocode for two different ways of doing this, depending on whether there is a single record with the response time already calculated, or whether you need to calculate the _time difference between two records.

Use this if you have all the info you need to calculate response time on each event record.

  (your search that selects the records you want)
 | eval resptime=(your code that calculates the response time)
 | stats avg(resptime) by url_path

Use this if you need to find the difference between two records to calculate the response time, and if there is a single key field (such as session ID or request ID) that tells you which starting and ending events belong together.

  (your search that selects the records you want)
 | eval matchkey = case(if it is a start record, the key field from the start record, 
                                          if it is an end record, the key from the end record)
 | stats min(_time) as _time range(_time) as resptime values(url_path) as url_path by matchkey
 | stats avg(resptime) by url_path

In each of the above cases, for information about how the response time is changing across time, you could replace the final stats command with

 |  bin _time span=5m
 | stats avg(resptime) by _time url_path 

or with

 | timechart span=5m avg(resptime) by url_path
0 Karma

satyajitjem
New Member

Thanks !
1. I need to have a time formart like ddmmyyyy to set start & end date on my report.
2. URL without query string and without VINs etc format

0 Karma

Vijeta
Influencer

can you please share your log data sample.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...