Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count of API calls over X time_taken, only if average time_taken is over a threshold

pzhou07920
Explorer
‎01-09-2018 08:06 AM

Hi,

I currently have a query that returns the a chart of API's whose calls average over a specific time limit (unique per API). I would then like to be able to display the count of calls over X seconds time_taken ONLY if that API had an average time_taken over X seconds.

Would I be correct in thinking that I should make my first search a sub search and then search on that to find the counts of timed out APIs?

Here is my current search for the APIs with average time_taken over a limit.

index=mykplan_main cs_uri_stem="AAA" OR cs_uri_stem="BBB"

| eval URI=cs_uri_stem
| eval URI = lower(URI)
| stats avg(eval(time_taken*.001)) as avg_duration by URI
| eval avg_duration=round(avg_duration,2)
| eval alert=if((avg_duration > 3 AND URI="AAA") OR (avg_duration > 1 AND URI="BBB") ,"alert", "ignore")
| where alert="alert"
| fields - alert

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎01-09-2018 08:11 AM

How about this? YOu're already fetching avg time for a URI. You can just then get the count based on avg_duration as you're already filtering for avg_duration>threshold.

index=mykplan_main cs_uri_stem="AAA" OR cs_uri_stem="BBB" 
| eval URI=cs_uri_stem 
| eval URI = lower(URI) 
| stats avg(eval(time_taken*.001)) as avg_duration by URI 
| eval avg_duration=round(avg_duration,2) 
| eval alert=if((avg_duration > 3 AND URI="AAA") OR (avg_duration > 1 AND URI="BBB") ,"alert", "ignore") 
| where alert="alert" 
| chart count by avg_duration
0 Karma
Reply

pzhou07920
Explorer
‎01-09-2018 09:04 AM

Doing this only returns a count of 1 for every result, I think it counts the avg duration or something. I preferably want to only get the count of API calls over the same avg_duration threshold I used but total count of events by URI should be okay too.

0 Karma
Reply

micahkemp
Champion
‎01-09-2018 08:10 AM

You should be able to just add count to your stats command.

index=mykplan_main cs_uri_stem="AAA" OR cs_uri_stem="BBB" 
| eval URI=cs_uri_stem 
| eval URI = lower(URI) 
| stats avg(eval(time_taken*.001)) as avg_duration, count by URI 
| eval avg_duration=round(avg_duration,2) 
| eval alert=if((avg_duration > 3 AND URI="AAA") OR (avg_duration > 1 AND URI="BBB") ,"alert", "ignore") 
| where alert="alert" 
| fields - alert
0 Karma
Reply

rekhan
New Member
‎11-09-2020 02:32 AM

Hi ,

I am new to Splunk... We are pulling our logs from cloudwatch into splunk.

I want to create a dashboard to show the number of API calls by response - 2xx, 4xx and 5xx.

Basically I want to count the numbers of alerts for each response type for the API call.

Can you please help.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...