Splunk Search

How to write a stats search for the daily max and average latency per each of the top 5 URLs?

Builder

I have logs that I'm trying to analyze and get the daily average latency per URL. I'll provide a sample log, and what I'd like as the resulting table.

Oct 9 10:46:10 x.x.x.x Hostname="Test",RequestStartTimestamp="1412873168",ResponseStartTimestamp="1412873170",URLString="/TEST/api/Referral/",ClientIP="x.x.x.x",MethodString="GET",ResponseCode="200",ServerLatency="2304",RequestSize="1068",ResponseSize="17287"

Day 1 (top 5)

URLString1 ServerLatencyMax=10 avg(ServerLatency)=7
URLString2 ServerLatencyMax=15 avg(ServerLatency)=9
URLString3 ServerLatencyMax=12 avg(ServerLatency)=3
URLString4 ServerLatencyMax=11 avg(ServerLatency)=4
URLString5 ServerLatencyMax=1 avg(ServerLatency)=1

Day 2 (top 5)

URLString1 ServerLatencyMax=10 avg(ServerLatency)=7
URLString2 ServerLatencyMax=10 avg(ServerLatency)=7
URLString3 ServerLatencyMax=10 avg(ServerLatency)=7
URLString4 ServerLatencyMax=10 avg(ServerLatency)=7
URLString5 ServerLatencyMax=10 avg(ServerLatency)=7

I've been trying something along the lines of:

index=test sourcetype=test_log ResponseCode="200" | stats avg(ServerLatency) as AVG_ServerLatency by URLString | sort AVG_ServerLatency | reverse

This will get me the average for whatever time period I'm searching for, per URL. But I'd like to separate out by day.

Tags (4)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

index=test sourcetype=test_log ResponseCode="200" | eval Date=strftime(_time,"%d-%b-%Y")| stats max(ServerLatency) as MaxServerLatency, avg(ServerLatency) as AVGServerLatency by Date,URLString | sort Date, -MaxServerLatency |streamstats count as rank by Date | where rank < 6

View solution in original post

SplunkTrust
SplunkTrust

Try this

index=test sourcetype=test_log ResponseCode="200" | eval Date=strftime(_time,"%d-%b-%Y")| stats max(ServerLatency) as MaxServerLatency, avg(ServerLatency) as AVGServerLatency by Date,URLString | sort Date, -MaxServerLatency |streamstats count as rank by Date | where rank < 6

View solution in original post

Builder

Very close to perfect, thanks. I ended up changing the sort based around AVGServerLatency instead of the Max, but otherwise it works great. Appreciate it.

0 Karma