Can you help me fix my query which finds the average response time of my URL?

New Member

Splunk Customized Query to set average data on response time of my url & my expected format of query is like below :

index=linux(status!=200) (hoster="*.com")
| eval startdate = date 
| eval enddate=date
| eval avgInLast7Days
| eval avgInLast24Hrs
| eval stirng= url_path
|stats count(_raw) as Cnt by stirng
| sort -Cnt

Please help to have this query .

Tags (1)
0 Karma

Esteemed Legend

Maybe like this (assuming that there is a field called response_time in your events):

index=linux(status!=200) (hoster="*.com") earliest=-7d@d latest=now
| timechart span=1d avg(response_time) AS response_time BY url_path
| multireport
[ | head 1 | eval _time="THIS IS THE AVERAGE FOR THE LAST DAY" ]
[ | stats avg(*) AS * | eval _time="THIS IS THE 7-DAY AVERAGE OF DAILY AVERAGES" ]
0 Karma

New Member


I am not getting anything on "THIS IS THE AVERAGE FOR THE LAST DAY" filed comumn.

Can you please check this ?

0 Karma

Esteemed Legend

do you have a field called response_time and one called url_path? Both are required.

0 Karma


Your query doesn't seem to have anything to do with "average response time".

1) That stats command is going to get you the count, that's it.

2) Your evals have no code to calculate or assign anything.

Here's pseudocode for two different ways of doing this, depending on whether there is a single record with the response time already calculated, or whether you need to calculate the _time difference between two records.

Use this if you have all the info you need to calculate response time on each event record.

  (your search that selects the records you want)
 | eval resptime=(your code that calculates the response time)
 | stats avg(resptime) by url_path

Use this if you need to find the difference between two records to calculate the response time, and if there is a single key field (such as session ID or request ID) that tells you which starting and ending events belong together.

  (your search that selects the records you want)
 | eval matchkey = case(if it is a start record, the key field from the start record, 
                                          if it is an end record, the key from the end record)
 | stats min(_time) as _time range(_time) as resptime values(url_path) as url_path by matchkey
 | stats avg(resptime) by url_path

In each of the above cases, for information about how the response time is changing across time, you could replace the final stats command with

 |  bin _time span=5m
 | stats avg(resptime) by _time url_path 

or with

 | timechart span=5m avg(resptime) by url_path
0 Karma

New Member

Thanks !
1. I need to have a time formart like ddmmyyyy to set start & end date on my report.
2. URL without query string and without VINs etc format

0 Karma


can you please share your log data sample.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...