Splunk Search

3 Report outputs into one

n1ckl0ve
New Member

Hi All,

I'm fairly new to Splunk. I'm trying to save some time with an automated report on IIS Time Taken. I need to report on 3 metrics, % of time below 2ms, 4ms and any above 4ms and then output the searches to a single csv.

I've probably gone about this the wrong way but so far I've created 3 separate Searches to 3 different reports. What I'm trying to achieve is for the previous month's logs, Table the above 3 metrics by day, then add days together for a total, working out the % of each metric.

So far this is what I've got which achieves my objective for the Metrics by Day and adds them together I'm not sure how to string them together and wonder if anyone could give me any pointers?

host="" sourcetype=iis AND NOT (".jpg" OR "*.txt") | eval time_taken = time_taken/1000 | search time_taken< "2" | stats count by date | rename count as "Below 2ms"

I've done one search for each of the metrics I'm trying to report on but assume I'm going about it the wrong way.

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

HI @n1ckl0ve,
you have to create a single search tagging the results with the eval command, something like this:

host="*" sourcetype=iis AND NOT (".jpg" OR "*.txt") 
| eval time_taken_milliseconds=time_taken/1000
| eval metric=if(time_taken_milliseconds<2,"Below 2ms",time_taken_milliseconds>4,"More than 4 ms","Between 2-4 ms")
| timechart count by metric

I quick hint: use always index=your_index in your searches to have faster searches.

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @n1ckl0ve,
you have to create a single search tagging the results with the eval command, something like this:

host="*" sourcetype=iis AND NOT (".jpg" OR "*.txt") 
| eval time_taken_milliseconds=time_taken/1000
| eval metric=if(time_taken_milliseconds<2,"Below 2ms",time_taken_milliseconds>4,"More than 4 ms","Between 2-4 ms")
| timechart count by metric

I quick hint: use always index=your_index in your searches to have faster searches.

Ciao.
Giuseppe

0 Karma

n1ckl0ve
New Member

Hi @gcusello and thank you for your response.

I've tried several ways to use your suggestion but I keep getting the arguments to the if function are invalid using it as is or by manipulating it in various ways. I've tried to understand the if function by reading Splunk documentation.

is it that the first argument filters the ones below 2ms, does the second argument use what ever wasn't caught by the first argument above 4ms and what's left is the difference between the two?

Thanks again Giuseppe.

Nick

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @n1ckl0ve,
yes exactly.
Sorry there's an horror of mine!

| eval metric=if(time_taken_milliseconds<2,"Below 2ms",if(time_taken_milliseconds>4,"More than 4 ms","Between 2-4 ms"))

You could also use "case" instead "if", but I find easier this way.

Ciao.
Giuseppe

0 Karma

n1ckl0ve
New Member

Hi Giuseppe,

That's great thank you for helping with that. That basically works out of the box. I've changed timechart count by metric for timechart span=1d count by metric and that's creating the report perfectly including total count and percentages.

I am very grateful for your time thank you again,
Best regards

Nick

0 Karma

n1ckl0ve
New Member

Hi @gcusello and thank you for your response.

I've tried several ways to use your suggestion but I keep getting the arguments to the if function are invalid using it as is or by manipulating it in various ways. I've tried to understand the if function by reading Splunk documentation.

is it that the first argument filters the ones below 2ms, does the second argument use what ever wasn't caught by the first argument above 4ms and what's left is the difference between the two?

Thanks again Guiseppe.

Nick

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...