Splunk Search

How to generate an IIS search for how many transactions have hit a single server?

New Member

New to Splunk and am having trouble writing a search that would tell me how many IIS transactions have hit a single server over one month with one minute granularity. I would also like this to be "visualized" with the average response time.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

OK, great. Can you help us with a bit more information?

1) You do have the events coming into Splunk already?
2) And you can find them in a search?
3) Your issue is really how to transform those raw events into that particular search/report?

If that's all true, then..

4) Are the events parsed into fields properly (e.g. is the sourcetype set right, so that if you run a search in "Verbose" mode you can see fields like c_ip and time_taken ) ?

Lastly, then, what do you mean by ...

5) How would you define an "IIS transaction?"

6) How does that interact with "time_taken"?
7) 1 minute stats over 30 days is ~45,000 points. Can you display that? I can't.

It's possible something as simple as

sourcetype=iis | bin span=1m _time | stats avg(time_taken) by _time 

and switching to your Visualization tab and playing with some things in there. Indeed, try the above search over the past 4 hours or so and tell me what it gets you...

If that actually works for your needs, I'll move this to an answer and we'll be done. But I think you'll have an answer in here that either a) says we need a bit more work or b) need to redefine the problem.

Happy Splunking!
-Rich

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

OK, great. Can you help us with a bit more information?

1) You do have the events coming into Splunk already?
2) And you can find them in a search?
3) Your issue is really how to transform those raw events into that particular search/report?

If that's all true, then..

4) Are the events parsed into fields properly (e.g. is the sourcetype set right, so that if you run a search in "Verbose" mode you can see fields like c_ip and time_taken ) ?

Lastly, then, what do you mean by ...

5) How would you define an "IIS transaction?"

6) How does that interact with "time_taken"?
7) 1 minute stats over 30 days is ~45,000 points. Can you display that? I can't.

It's possible something as simple as

sourcetype=iis | bin span=1m _time | stats avg(time_taken) by _time 

and switching to your Visualization tab and playing with some things in there. Indeed, try the above search over the past 4 hours or so and tell me what it gets you...

If that actually works for your needs, I'll move this to an answer and we'll be done. But I think you'll have an answer in here that either a) says we need a bit more work or b) need to redefine the problem.

Happy Splunking!
-Rich

View solution in original post

0 Karma

New Member

Thank you, this has given me the start that I needed to achieve what I'm looking for.

0 Karma

Esteemed Legend

Show a few sample events.

0 Karma

New Member

Thank You but I don't think I can post examples from our logs without heavily editing them

0 Karma