Can anyone please explain this search? It's for average request execution:
index=main sourcetype=access_combined OR sourcetype=log4j
| eval action=substr(uri_path,2)
| eval action=lower(if(isnull(action),requestType,action))
| eval JSESSIONID=if(isnull(JSESSIONID),sessionId,JSESSIONID)
| transaction threadId, JSESSIONID, action maxspan=1m
| stats avg(duration) AS Avg_Request_Execution_Time
Let's break up this search into its parts
index=main sourcetype=access_combined OR sourcetype=log4j
pretty straight forward: take the events from the main index, sourcetypes access_combined or log4j
| eval action=substr(uri_path,2)
create a new field action
by extracting a substring out of the field uri_path
from the second char
| eval action=lower(if(isnull(action),requestType,action))
checks if the field action
is empty (isnull). If so, action
takes the value of the field requestType
, otherwise the value of action remains the same. The field value is converted to lower case.
| eval JSESSIONID=if(isnull(JSESSIONID),sessionId,JSESSIONID)
checks if the field JSESSIONID
is null. If so, JSESSIONID
takes the value of the field sessionID
, otherwise the value of action remains the same.
| transaction threadId, JSESSIONID, action maxspan=1m
creates a transaction with the fields threadId
and JSESSIONID
with a maximum duration of 1 minute - that is, checking all events within one minute, where the values of threadId and JSESSIONID are identical, and combining them to one transaction. Check http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Transaction for more details.
| stats avg(duration) AS Avg_Request_Execution_Time
create a stats table for the average value of duration
- which is a field created by the transaction
command - and naming this field Avg_Request_Execution_Time
.
Any further details needed? Feel free to comment!
It is gathering up all events for a web session or jsession by using the transaction
command which also calculates a duration
field for each session from which an average can be calculated.
Let's break up this search into its parts
index=main sourcetype=access_combined OR sourcetype=log4j
pretty straight forward: take the events from the main index, sourcetypes access_combined or log4j
| eval action=substr(uri_path,2)
create a new field action
by extracting a substring out of the field uri_path
from the second char
| eval action=lower(if(isnull(action),requestType,action))
checks if the field action
is empty (isnull). If so, action
takes the value of the field requestType
, otherwise the value of action remains the same. The field value is converted to lower case.
| eval JSESSIONID=if(isnull(JSESSIONID),sessionId,JSESSIONID)
checks if the field JSESSIONID
is null. If so, JSESSIONID
takes the value of the field sessionID
, otherwise the value of action remains the same.
| transaction threadId, JSESSIONID, action maxspan=1m
creates a transaction with the fields threadId
and JSESSIONID
with a maximum duration of 1 minute - that is, checking all events within one minute, where the values of threadId and JSESSIONID are identical, and combining them to one transaction. Check http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Transaction for more details.
| stats avg(duration) AS Avg_Request_Execution_Time
create a stats table for the average value of duration
- which is a field created by the transaction
command - and naming this field Avg_Request_Execution_Time
.
Any further details needed? Feel free to comment!
Thanks for the explanation...i still have a question..
for the search below, you said it's extracting substring out of uri_path..here're the field values for uri_path.
/viewcart , /updatecart, /updateitem...etc
Is it necessary to extract a substring, if it's how does it work...can you please explain..
| eval action=substr(uri_path,2)
create a new field action by extracting a substring out of the field uri_path from the second char
Sorry for the delay ...
As you stated, the values for uri_path all start with a slash char '/' - the substr command just removes the leading slash from the value, so this is (more or less) just a 'cosmetic correction'. Now you are able to search for action=viewcart
- which is much nicer than having to search for action="/viewcart"
Got it.. Thanks much..!!