Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Query for times
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query for times
Hi,
i would like to count how many uris that have response times greater than the 90th percentile times for response times greater than x secs..Say 30 secs and list them out.
I tried this. But it is not resulting any results
sourcetype="access_combined_wcookie" host=xxxx Time>30 | eventstats perc90(Time) as hightimes by uri_path | where Time>highimes | table uri_path, count, hightimes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty sure that the relevant field name in access_combined_wcookie is called req_time, rather than Time. At least, in the default access extractions that ship with Splunk there is no extracted field called Time.
If you run these searches are you getting extracted values for Time? Or only for req_time?
sourcetype="access_combined_wcookie" host=xxxx | table Time req_time
Otherwise you're close. You have one little typo (highimes != hightimes), and if you want a "count" field, you need another stats on the end to roll it up.
Here you go, assuming again that req_time is the field name and not Time.
sourcetype="access_combined_wcookie" host=xxxx req_time>30 | eventstats perc90(req_time) as hightime by uri_path | where req_time>hightime | stats count last(hightime) as hightime by uri_path
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because of the | where req_time>hightime , the rows coming into that stats clause will only be the rows where the req_time is higher than the 90th percentile value. then the stats clause will give, for each uri_path, count (number of rows higher than 90th percentile) and last(hightime) as hightime (which is just the 90th percentile value).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what does it mean by - stats count last(hightime) as hightime. Say if the 90th percentile time is 15.6 secs but there are another 5 instances where the time is greater than 15.6 secs. Does this give count as 5? and also would it show the hightime (90th percentile) as 15.6?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTw, i tried the modified query but not getting any data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Thanks for your reply. Just to be on the same page, i am looking for count of each uri for which response time is greater than the 90th percentile time. You are right, the field name is not time.
Like below.
URI COUNT 90thPercentile
xxxx 10 15.6 secs
yyyy 5 10.23
zzzz 14 9.78
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
