Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate max min average response time and Peak hour by URL

shashank_24
Path Finder
‎06-16-2020 08:20 AM

Hi, I am trying to put together a table like this - Need to calculate the max TPM, max response time and average response time

urlmax_per_hourtotal_countAverageRespTimeMaxRespTime
/test13141514  
/test27772876  
     

 

My peak hour count and total count are coming but AverageRespTime and MaxRespTime are blank. I want to calculate this for last 30 days and below is the query I am using -

 

index=myindex sourcetype=access_combined_wcookie status=200 
| bucket span=1h _time 
| stats count as hour_count by _time url 
| stats max(hour_count) as max_per_hour sum(hour_count) as total_count avg(time_serve) as AverageRespTime max(time_serve) as MaxRespTime by url

 

Can someone advice what I am doing wring here OR may be some other way to achieve this task?

NOTE - time_serve field is available in my interesting fields.

Labels (2)
Labels
Tags (2)
0 Karma
Reply

anilchaithu
Builder
‎06-16-2020 08:35 AM

@shashank_24 

 

time_serve field is not available for the second stats command 

0 Karma
Reply

shashank_24
Path Finder
‎06-16-2020 08:40 AM

@anilchaithu It is available. Sorry I should have mentioned it.

0 Karma
Reply

anilchaithu
Builder
‎06-16-2020 08:46 AM

@shashank_24 

The output from first stats command will be the output for second stats command.

In this query the first stats command output hour_count, _time & url. So the time_server is not available for the second stats command

| stats count as hour_count by _time url
| stats max(hour_count) as max_per_hour sum(hour_count) as total_count avg(time_serve) as AverageRespTime max(time_serve) as MaxRespTime by url

index=myindex sourcetype=access_combined_wcookie status=200 
| bucket span=1h _time 
| stats count as hour_count by _time url 
| stats max(hour_count) as max_per_hour sum(hour_count) as total_count avg(time_serve) as AverageRespTime max(time_serve) as MaxRespTime by url

 

hope this clears your doubt

0 Karma
Reply

shashank_24
Path Finder
‎06-16-2020 08:51 AM

@anilchaithu ah yes you are right. Thanks. So how do i achieve it?

Because I want to display in a tabular format with along with the url's.

0 Karma
Reply

anilchaithu
Builder
‎06-16-2020 08:57 AM

@shashank_24 

try this 

| stats count as hour_count avg(time_serve) as avg_timeserve max(time_serve) as max_timeserve  by _time url
| stats max(hour_count) as max_per_hour sum(hour_count) as total_count avg(avg_timeserve) as AverageRespTime max(max_timeserve ) as MaxRespTime by url

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...