Splunk Search

Average response time for group of API

Harish429
Loves-to-Learn Lots

Hi Team,

I want to create a splunk dashboard with the avearge response time taken by the all the API's wich follow this condition.

Example:

I have below API's

/api/cvraman/book

/api/apj/book

/api/nehru/book

/api/cvraman/collections

/api/apj/collections

/api/indira/collections

/api/rahul/notes

/api/rajiv/notes

/api/modi/notes

Now i will check for the average of the API /api/*/book,/api/*/collections,/api/*/notes.

Dashboard should have only these response times in the chart /api/*/book,/api/*/collections,/api/*/notes.

i tried the below query but the dashboard shows the combined average on all the three can someone please help on this

index=your_index (URI = /api/*/book OR URI = /api/*/collections OR /api/*/notes. ) |stats avg(duration) as avg_time

 

Labels (2)
0 Karma

Harish429
Loves-to-Learn Lots

Not exactly like the above one.But the ouput should be a chart with x-axis /api/*/book,api/*/collections and api/*/notes and Y-axis should be the response time 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Just use a line chart or column chart as your visualisation.

ITWhisperer_0-1701337446946.png

 

0 Karma

Harish429
Loves-to-Learn Lots

Not this way what i need is  suppose

/api/cvraman/book - took 1msec for response

/api/apj/book-took 2msec for response

/api/nehru/book-took  3 msec for response

/api/cvraman/collections -took 1msec for response

/api/apj/collections-took 3msec for response

/api/indira/collections-took 5msec for response

/api/rahul/notes-took 1msec for response

/api/rajiv/notes-took 4msec for response

/api/modi/notes-took 6msec for response

 

Now in the chart i should have only three API,

/api/*/book -calculate the average of /api/cvraman/book ,/api/apj/book,/api/nehru/book
/api/*/collections -same average of collections API
/api/*/notes-same average of notes API

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g"
| stats avg(duration) as avg_time by URI
0 Karma

Harish429
Loves-to-Learn Lots

Thank you for the response.

But this gives me all the API's average response time.

 

If i just need the resposnse of the api which mich only /api/*/Book ,/api/*/collections/,/api/*/notes then what would be the rex statement

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is a runanywhere example using random durations showing the average of the APIs - how is this different to what you have asked for

| makeresults count=10
| eval _raw="/api/cvraman/book
/api/apj/book
/api/nehru/book
/api/cvraman/collections
/api/apj/collections
/api/indira/collections
/api/rahul/notes
/api/rajiv/notes
/api/modi/notes"
| multikv noheader=t 
| eval duration=random()%10
| rename _raw as URI
``` The lines above create dummy data ```
| rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g"
| stats avg(duration) as avg_time by URI
0 Karma

Harish429
Loves-to-Learn Lots

May be i guess i have not communicated Clearly.

the final output should have only three API

Just like thisScreenshot 2023-11-30 at 4.24.43 PM.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Correct, but it clearer now; thank you.

Try it this way

| rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g"
| eval responseTime="response time"
| chart avg(duration) as avg_time by responseTime URI

You can set the x-axis Title to "None"

ITWhisperer_0-1701342101526.png

 

0 Karma

Harish429
Loves-to-Learn Lots

The above rex will give all the APIS.

 

For example we have another API  /API/*/workbooks.Now with the query you provided it would give the values of this API also.I dont want that.

I just need values of  /API/*/Books,./API/*/collections,/API/*/Notes only.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The filter on your search should be only including the events you want - if you have other events, you need to tighten the filter to exclude the unwanted events. Can you share an example of the events which are being included which should not be based on your filter?

0 Karma

Harish429
Loves-to-Learn Lots

thats the production data so i couldnt share here.but from the results i can see that it is give the results of /api/*/Workbook,/api/* /testbooks responses also. which i dont need this.

Actually prod api's i renamed and just added workbook ,testbooks,notes like that.

Hope you understand

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Understood. So, it sounds like your filter isn't working effectively. Here is a runanywhere example showing the filter working on the sample data with Workbook and testbook being excluded from the results

| makeresults count=10
| eval _raw="/api/cvraman/book
/api/apj/book
/api/nehru/book
/api/nehru/Workbook
/api/nehru/testbook
/api/cvraman/collections
/api/apj/collections
/api/indira/collections
/api/rahul/notes
/api/rajiv/notes
/api/modi/notes"
| multikv noheader=t 
| eval duration=random()%10
| rename _raw as URI
| search (URI = /api/*/book OR URI = /api/*/collections OR URI = /api/*/notes)
| rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g"
| eval responseTime="response time"
| chart avg(duration) as avg_time by responseTime URI

I am sure you can also understand that there is nothing wrong with the rex and the remainder of the search given the data examples you have given to work on, and that the issue is with your filter, which only you can sort out, given that it is production data that you cannot share.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you mean something like this

index=your_index (URI = /api/*/book OR URI = /api/*/collections OR /api/*/notes. ) |stats avg(duration) as avg_time by URI
0 Karma

Harish429
Loves-to-Learn Lots

Not exactly like the above one.But the ouput should be a chart with x-axis /api/*/book,api/*/collections and api/*/notes and Y-axis should be the response time

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...