Splunk ITSI

splunk search to calculate average response time for every URLs accessed

ravir_jbp
Explorer

 

We have Get and Post events in the apache logs. I am trying to exact the average respones time for every URLs that are being accessed by users. Below are the example of log events.  How can I calculate the average response time.

10.XXX.X.X [03/Mar/2021:05:42:10 -0600] 84112 "GET /XXXXX/content/actions/amt/tasks/my-tasks?lang=en_US HTTP/1.1" 200 23593 "https://testpage.com/test/*" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" - 907D339F136C5166E589B1128488A341.app2

 

10.XXX.X.X [03/Mar/2021:05:42:10 -0600] 84112 "GET /XXXXX/content/actions/amt/tasks/my-tasks?lang=en_US HTTP/1.1" 200 23593 "https://testpage.com/retest/*" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" - 907D339F136C5166E589B1128488A341.app2

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Extract the URL and response time from your events, then use stats avg(response) by URL

0 Karma

ravir_jbp
Explorer

can you provide the query to extact the response time and URL. I thing we have to use "rex" but can you help me with query. I am new to this.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Ideally, these fields should be extracted when you ingest the log. Apache log format is configurable so it depends on what your configuration is as to which fields are which. This is something you need to identify.

0 Karma

ravir_jbp
Explorer

Okay can you suggest on how I can use rex and sed to replace 200 status code with * and count the number status error codes. The purpose is to find status code (200, 300,400 and 500)

 

HTTP/1.1" 200 1893

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "HTTP\/\d\.\d\"\s(?<status>\d+)\s"
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...