Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to calculate peak hour count along with re...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to calculate peak hour count along with requested content
Hi, I am working on a query to get the peak hour count of of the top 100 requested pages on my website and i want this together in a single table.
I have a below query which fetches my top 100 requested pages but what i want is their peak hour count as well alongside in a separate column.
index=test sourcetype=access_combined requested_content="/*" NOT (images OR js OR css OR png OR gif OR json OR jpg OR woff OR eot OR ico OR ttf OR svg OR pdf OR php OR jpeg OR txt) status=200
| stats count by req_content
| sort - count limit=100
@to4kawa @Sukisen1981 @gcusello - hey Guys any help here??
What i am looking is something like this?
req_content Totalcount PeakHourCount
Please let me know if someone can help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa @Sukisen1981 @gcusello - hey Guys any help here??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Shashank_87,
I am not 100% sure if this is what you are looking for but check this run anywhere example... might get you started
Its basically your search just adding the max value (of the hourly count) for that day next to the count per hour. I think this is what you are looking for.
index=_* sourcetype=splunkd_ui_access
uri="/en-US/app/search/ops_dc_status/_current"
| stats count as TotalHitsPerHour by date_hour, date_mday, uri
| eventstats max(TotalHitsPerHour) as maxDailyCt by date_mday, uri
| table date_hour, date_mday, uri, TotalHitsPerHour, maxDailyCt
Or try this example filled out for your usecase.
index=test sourcetype=access_combined requested_content="/*" NOT (images OR js OR css OR png OR gif OR json OR jpg OR woff OR eot OR ico OR ttf OR svg OR pdf OR php OR jpeg OR txt) status=200
| stats count as Totalcount by date_hour, date_mday, req_content
| eventstats maxTotalcount as PeakHourCount by date_mday, req_content
| table date_hour, date_mday, req_content, Totalcount, PeakHourCount
| sort - count limit=100
happy splunking!
=)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Keysofsandiego for your response but I am not really sure if i am looking this. So in simple terms what i want is a table with three columns -
1. req_content
2. Total count of this req_content (suppose in last 7 days)
3. Peak hour count of this req_content (suppose in last 7 days).
Mainly the 1st and 3rd column and even if we don't get total count that's okay. The thing is i need to generate a report every 2 weeks with top 100 most visited pages and their peak hour count so that performance test team can have the latest data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Keysofsandiego Hey, let me know if you can help me with the query please.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
