Splunk Search

How to get top results based on throughput

Path Finder

My dataset is like below:


01/05/2013 23:58:00 -0800, search_name=foo, search_now=1357459200.000, info_min_time=1357459080.000, info_max_time=1357459200.000, info_search_time=1357459425.558, Count=1, apiName="footest", appName="bartest", clRT=70, status=401, svRT=68

01/05/2013 23:58:00 -0800, search_name=foo, search_now=1357459200.000, info_min_time=1357459080.000, info_max_time=1357459200.000, info_search_time=1357459425.558, Count=10, apiName="footest", appName="bartest1", clRT=50, status=200, svRT=52


Each "apiName" can have multiple "appNames".
Successful txn means any event with "status" between 200-400.
Total Txns mean sum(Count)
What I would like to get is for each apiName, the timechart for # of Successful txns over time for "appName"s for which the total throughput is in top 5.

Say there are 7 appName like foo1, foo2, foo3, so on... and their respective TotalTxns is 11,10,9,8,7,6,5. So I would like to show for each apiName, timechart of # of successful txns for appNames (foo1 to foo5 as their throughout is in Top 5)...

apiName can be chosen by the user from the dropdown in the view.

Thanks for your help.

Path Finder

I was able to fix this by doing something like below, in case anyone else is trying to solve similar issue....


index=foo search_name="bar" [search index=foo search_name="bar" apiName="$apiName$"| stats sum(Count) AS Total by appName|sort -Total | head 5 |table appName] | search status>199 AND status<400 apiName="footest" | timechart span=2m eval(sum(Count)) AS TotalSuccess by appName


Thanks Iguinn and Suda for your time.

0 Karma

Communicator

Hello,

What do you think my idea? I hope it helps you.

yoursearchhere apiName="$chosenAPIname$" status >= 200 AND status <=400
    [ search yoursearchhere apiName="$chosenAPIname$"
      | stats sum(Count) AS TotalTxns by appName
      | sort - TotalTxns
      | haed 5
      | fields + appName ]
| timechart sum(Count) as Total by appName

Thanks.

Path Finder

Instead splunk view does something like this:

index=foo search_name="bar " [search index=foo search_name="bar"| stats sum(Count) AS Total by appName|sort -Total | head 5 |table appName] | search status>199 AND status<400 apiName=" footest" | timechart span=2m eval(sum(Count)) AS TotalSuccess by appName

This could work if subsearch can also start using the condition being used by main search. Any ideas?

Path Finder

I could achieve this by doing something like below but there is a problem with this… In the view, I am using “intention” for apiName and splunk doesn’t put “apiName” at two places as shown below,

index=foo search_name="bar" apiName="footest" [search index=foo search_name="bar" apiName="footest" | stats sum(Count) AS Total by appName|sort -Total | head 5 |table appName] | search status>199 AND status<400 | timechart span=2m eval(sum(Count)) AS TotalSuccess by appName

Legend

Perhaps there is another way to deal with this in the view?

Path Finder

Thanks for your reply Iguinn and Suda. problem with this approach is if this is used in the view, splunk doesnt add "apiName" in both the searches, rather adds only after the last search. This way sub search doesnt work for that api 😞

Legend

This should work. You may need to tweak the syntax of the search a bit...

yoursearchhere apiName="$chosenAPIname$" status >= 200 AND status <=400
| timechart limit=5 sum(Count) as Total by appName

Oops, based on your comment, it looks like you will need to do this:

yoursearchhere apiName="$chosenAPIname$" status >= 200 AND status <=400
    [ search yoursearchhere apiName="$chosenAPIname$" | addinfo | where _time>=info_min_time  
      | top limit=5 showcount=f showperc=f appName ]
| timechart sum(Count) as Total by appName

This creates a subsearch that identfies the top 5 appNames, and then inserts the list as a condition of the search.
I updated this answer to include "addinfo" - otherwise the subsearch runs over all time, which is almost certainly wrong. The addinfo command is cool because it gives the subsearch access to the time parameters of the outer search. That's what the info_min_time is: the earliest time for the outer search.

Legend

The update to the answer takes care of that, I hope. See the second search. Suda's answer is similar - it is replicating the functionality of the top command.

Path Finder

Thanks for your reply. But this way "top 5 appName" won't be based on the total throughput but rather based on # of Successful Txns as you are filtering using status. (Total=success+failed)

Any other idea?

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!