Splunk ITSI

How to calculate response time from haproxy logs

ravir_jbp
Explorer

Below are the HP proxy logs format Where in we see Get and post entries along with the status code and response time in milli seconds.(example- 200 (status code) 5715(is response time in miliseconds). I like to calculate the average response time in 1 minute interval.

 

 

Feb 15 12:19:49 localhost haproxy[7046]: XX.XX.XXX.X:41534 [15/Feb/2021:12:19:49.989] xyz rest_service/rest-hostname-port 0/0/0/6/6 200 5715 - - --VN 73/73/7/0/0 0/0 "GET /filterservices/xx/sadfsfsd HTTP/1.1"

Feb 15 12:19:49 localhost haproxy[7046]: XX.XX.XXX.X:50177 [15/Feb/2021:12:19:49.955] xyz rest_service/rest-hostname-port 0/0/0/2/3 200 1541 - - --VN 73/73/7/0/0 0/0 "GET /contentservices/js/feedback_container.js?_=234324255 HTTP/1.1"

Feb 15 12:19:49 localhost haproxy[37427]: XX.XX.XXX.X:56769 [15/Feb/2021:12:19:49.655] xyz sserices/servuce.service-hostname 0/0/0/7/9 200 2848 - - ---- 79/79/1/1/0 0/0 "POST /service/service/select HTTP/1.1"

Labels (1)
Tags (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @ravir_jbp,

Additon to @lperini_splunk, below regex should work;

| makeresults
| eval _raw = "Feb 15 12:19:49 localhost haproxy[7046]: XX.XX.XXX.X:41534 [15/Feb/2021:12:19:49.989] xyz rest_service/rest-hostname-port 0/0/0/6/6 200 5715 - - --VN 73/73/7/0/0 0/0 \"GET /filterservices/xx/sadfsfsd HTTP/1.1"
| rex "\s(?:\d\/){4}\d\s\d{3}\s+(?<myresponsetime>[\d]+)\s"
| timechart span=1m avg(myresponsetime)
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

lperini_splunk
Splunk Employee
Splunk Employee

I know it is not ideal (the regex is considering the 200 status code and it is hardcoded), but just to ilustrate:

| makeresults
| eval _raw = "Feb 15 12:19:49 localhost haproxy[7046]: XX.XX.XXX.X:41534 [15/Feb/2021:12:19:49.989] xyz rest_service/rest-hostname-port 0/0/0/6/6 200 5715 - - --VN 73/73/7/0/0 0/0 \"GET /filterservices/xx/sadfsfsd HTTP/1.1"
| rex "200\s+(?<myresponsetime>[\d]+)"
| timechart span=1m avg(myresponsetime)
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...