The problem statement consists of 2 parts
- capture all the URIs hit in a specific month with specific conditions as below.
sourcetype=iis host=pdestm* cs_uri_stem="/MaterialBalance/" | rex field=cs_uri_stem mode=sed "s/\d+/#/g" | eval SecondsTaken=time_taken/1000| stats count, avg(SecondsTaken) by cs_uri_stem, cs_method | eventstats sum(count) as totalcount | eval percent= (count/totalcount)*100 | where percent>2 OR max(SecondsTaken)>5 | table cs_uri_stem, cs_method, count, percent, avg(SecondsTaken)
The above query returns
cs_uri_stem | cs_method | count | percent | avg(SecondsTaken)
/uri/Details/# | GET | 3575 | 48.487 | 1.7216218181818186
/uri/xxx/# | GET | 12017| 36.688 |1.8851170009153773
This part has been successfully captured.
- Find the max count/ hr of each URI. The expected result is as below
cs_uri_stem | hour in which peak count has been observed | count in peak hour
/uri/Details/#| 2019-04-28 00:00 | 156
/uri/xx/#| 2019-04-26 04:00 | 651
Looking for a solution for part 2.
