Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count of requests processed by each API service per minute.

nithys
Communicator
‎04-01-2025 08:54 PM

Hi 

I am working on below query to get Count of requests processed by each API service per minute

index=np source IN ("/aws/lambda/api-data-test-*") "responseTime"
| eval source = if(match(source, "/aws/lambda/api-data-test-(.*)"), replace(source, "/aws/lambda/api-data-test-(.*)", "data/\\1"), source)
| bucket _time span=1m | stats count by source, _time

i get below result for one source "name"
,second source by address,third source by city .
How can i represent different api source with per minute in good understandable format...either graph or pictorial representation

source _time count     

 
data/name2025-03-02 08:13:002 
data/name2025-03-02 08:14:0057 
data/name2025-03-02 08:15:00347 
data/name2025-03-02 08:16:0062 
data/name2025-03-02 08:17:0048 
 
data/address2025-03-02 08:18:0021 
data/city2025-03-02 08:19:0066 
data/city2025-03-02 08:20:0055 
data/address2025-03-02 08:21:007 

name event

{"name":"log","awsRequestId":"aws","hostname":"1","pid":8,"level":30,"requestType":"GET","entity":"name","client":"Ha2@gmail.com","domain":"name.io","queryParams":{"identifier":"977265"},"responseTime":320,"msg":"responseTime","time":"2025-03-02T03:23:40.504Z","v":0}

address event

{"name":"log","awsRequestId":"aws","hostname":"1","pid":8,"level":30,"requestType":"GET","entity":"address","client":"Harggg2@gmail.com","domain":"name.io","queryParams":{"identifier":"977265"},"responseTime":320,"msg":"responseTime","time":"2025-03-02T03:23:40.504Z","v":0}



Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-01-2025 10:34 PM

Do you mean something like this?

index=np source IN ("/aws/lambda/api-data-test-*") "responseTime"
| eval source = if(match(source, "/aws/lambda/api-data-test-(.*)"), replace(source, "/aws/lambda/api-data-test-(.*)", "data/\\1"), source)
| timechart span=1m count by source

 

Tags (1)
Reply

nithys
Communicator
‎04-02-2025 10:00 AM

Thank you @yuanliu It worked

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...