Splunk ITSI

How to calculate response time from haproxy logs

ravir_jbp
Explorer

Below are the HP proxy logs format Where in we see Get and post entries along with the status code and response time in milli seconds.(example- 200 (status code) 5715(is response time in miliseconds). I like to calculate the average response time in 1 minute interval.

 

 

Feb 15 12:19:49 localhost haproxy[7046]: XX.XX.XXX.X:41534 [15/Feb/2021:12:19:49.989] xyz rest_service/rest-hostname-port 0/0/0/6/6 200 5715 - - --VN 73/73/7/0/0 0/0 "GET /filterservices/xx/sadfsfsd HTTP/1.1"

Feb 15 12:19:49 localhost haproxy[7046]: XX.XX.XXX.X:50177 [15/Feb/2021:12:19:49.955] xyz rest_service/rest-hostname-port 0/0/0/2/3 200 1541 - - --VN 73/73/7/0/0 0/0 "GET /contentservices/js/feedback_container.js?_=234324255 HTTP/1.1"

Feb 15 12:19:49 localhost haproxy[37427]: XX.XX.XXX.X:56769 [15/Feb/2021:12:19:49.655] xyz sserices/servuce.service-hostname 0/0/0/7/9 200 2848 - - ---- 79/79/1/1/0 0/0 "POST /service/service/select HTTP/1.1"

Labels (1)
Tags (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @ravir_jbp,

Additon to @lperini_splunk, below regex should work;

| makeresults
| eval _raw = "Feb 15 12:19:49 localhost haproxy[7046]: XX.XX.XXX.X:41534 [15/Feb/2021:12:19:49.989] xyz rest_service/rest-hostname-port 0/0/0/6/6 200 5715 - - --VN 73/73/7/0/0 0/0 \"GET /filterservices/xx/sadfsfsd HTTP/1.1"
| rex "\s(?:\d\/){4}\d\s\d{3}\s+(?<myresponsetime>[\d]+)\s"
| timechart span=1m avg(myresponsetime)
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

lperini_splunk
Splunk Employee
Splunk Employee

I know it is not ideal (the regex is considering the 200 status code and it is hardcoded), but just to ilustrate:

| makeresults
| eval _raw = "Feb 15 12:19:49 localhost haproxy[7046]: XX.XX.XXX.X:41534 [15/Feb/2021:12:19:49.989] xyz rest_service/rest-hostname-port 0/0/0/6/6 200 5715 - - --VN 73/73/7/0/0 0/0 \"GET /filterservices/xx/sadfsfsd HTTP/1.1"
| rex "200\s+(?<myresponsetime>[\d]+)"
| timechart span=1m avg(myresponsetime)
0 Karma
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...