Splunk Search

How to calculate peak hour count along with requested content

Shashank_87
Explorer

Hi, I am working on a query to get the peak hour count of of the top 100 requested pages on my website and i want this together in a single table.
I have a below query which fetches my top 100 requested pages but what i want is their peak hour count as well alongside in a separate column.

index=test sourcetype=access_combined requested_content="/*" NOT (images OR js OR css OR png OR gif OR json OR jpg OR woff OR eot OR ico OR ttf OR svg OR pdf OR php OR jpeg OR txt) status=200
| stats count by req_content
| sort - count limit=100

@to4kawa @Sukisen1981 @gcusello - hey Guys any help here??

What i am looking is something like this?

req_content Totalcount PeakHourCount

Please let me know if someone can help

0 Karma

Shashank_87
Explorer

@to4kawa @Sukisen1981 @gcusello - hey Guys any help here??

0 Karma

Keysofsandiego
Path Finder

Hi Shashank_87,
I am not 100% sure if this is what you are looking for but check this run anywhere example... might get you started
Its basically your search just adding the max value (of the hourly count) for that day next to the count per hour. I think this is what you are looking for.

    index=_* sourcetype=splunkd_ui_access
    uri="/en-US/app/search/ops_dc_status/_current"
     | stats count as TotalHitsPerHour by date_hour, date_mday, uri
     | eventstats max(TotalHitsPerHour) as maxDailyCt by date_mday, uri
     | table date_hour, date_mday, uri, TotalHitsPerHour, maxDailyCt

Or try this example filled out for your usecase.

index=test sourcetype=access_combined requested_content="/*" NOT (images OR js OR css OR png OR gif OR json OR jpg OR woff OR eot OR ico OR ttf OR svg OR pdf OR php OR jpeg OR txt) status=200
  | stats count as Totalcount by date_hour, date_mday, req_content
  | eventstats maxTotalcount as PeakHourCount by date_mday, req_content
  | table date_hour, date_mday, req_content, Totalcount, PeakHourCount
| sort - count limit=100

happy splunking!
=)

0 Karma

Shashank_87
Explorer

Thanks @Keysofsandiego for your response but I am not really sure if i am looking this. So in simple terms what i want is a table with three columns -
1. req_content
2. Total count of this req_content (suppose in last 7 days)
3. Peak hour count of this req_content (suppose in last 7 days).

Mainly the 1st and 3rd column and even if we don't get total count that's okay. The thing is i need to generate a report every 2 weeks with top 100 most visited pages and their peak hour count so that performance test team can have the latest data.

0 Karma

Shashank_87
Explorer

@Keysofsandiego Hey, let me know if you can help me with the query please.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...