Re: splunk search to calculate average response ti...

ravir_jbp · ‎03-03-2021

We have Get and Post events in the apache logs. I am trying to exact the average respones time for every URLs that are being accessed by users. Below are the example of log events. How can I calculate the average response time.

10.XXX.X.X [03/Mar/2021:05:42:10 -0600] 84112 "GET /XXXXX/content/actions/amt/tasks/my-tasks?lang=en_US HTTP/1.1" 200 23593 "https://testpage.com/test/*" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" - 907D339F136C5166E589B1128488A341.app2

10.XXX.X.X [03/Mar/2021:05:42:10 -0600] 84112 "GET /XXXXX/content/actions/amt/tasks/my-tasks?lang=en_US HTTP/1.1" 200 23593 "https://testpage.com/retest/*" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" - 907D339F136C5166E589B1128488A341.app2

ITWhisperer · ‎03-03-2021

Extract the URL and response time from your events, then use stats avg(response) by URL

ravir_jbp · ‎03-03-2021

can you provide the query to extact the response time and URL. I thing we have to use "rex" but can you help me with query. I am new to this.

ITWhisperer · ‎03-03-2021

Ideally, these fields should be extracted when you ingest the log. Apache log format is configurable so it depends on what your configuration is as to which fields are which. This is something you need to identify.

ravir_jbp · ‎03-03-2021

Okay can you suggest on how I can use rex and sed to replace 200 status code with * and count the number status error codes. The purpose is to find status code (200, 300,400 and 500)

HTTP/1.1" 200 1893

ITWhisperer · ‎03-03-2021

| rex "HTTP\/\d\.\d\"\s(?<status>\d+)\s"

splunk search to calculate average response time for every URLs accessed

configuration

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life