Splunk Search

Show average response time of top 20 URLs

herbie
Path Finder

Hey Guys, I thought this would be simple, but doesn't seem so. From our HTTP logs, I want to get a list of the top 20 hit URLs and show the average response time for each of those within the one search.

Something like this:

index=prod sourcetype="odr" | top limit=20 cs_uri_stem | stats avg(time_taken) by cs_uri_stem

However, the time_taken field doesn't get passed to the stats command so it displays blank.

Basically, this is the output I want to show:

I was looking at the documentation on subsearches, but I can't figure out how to do it with that either.

Any ideas?

Thanks in advance.

Tags (1)
2 Solutions

Ayn
Legend

You could just skip the top clause and use stats directly:

index=prod sourcetype="odr" | stats count,avg(time_taken) by cs_uri_stem | sort - count

The only caveat is that this will return results for all URL's, not just the top 20. However with the sort you'll get the top 20 first in the results anyhow.

View solution in original post

0 Karma

araitz
Splunk Employee
Splunk Employee

There are a few ways to do this, but this is probably the best:

index=prod sourcetype="odr" earliest=-1h [search index=prod sourcetype="odr" earliest=-1h | top limit=20 cs_uri_stem | fields cs_uri_stem] | stats avg(time_taken) by cs_uri_stem

To add to Ayn's answer:

index=prod sourcetype="odr" | stats count,avg(time_taken) by cs_uri_stem | sort - count | head 20

View solution in original post

araitz
Splunk Employee
Splunk Employee

There are a few ways to do this, but this is probably the best:

index=prod sourcetype="odr" earliest=-1h [search index=prod sourcetype="odr" earliest=-1h | top limit=20 cs_uri_stem | fields cs_uri_stem] | stats avg(time_taken) by cs_uri_stem

To add to Ayn's answer:

index=prod sourcetype="odr" | stats count,avg(time_taken) by cs_uri_stem | sort - count | head 20

herbie
Path Finder

Thanks for the responses guys, both solutions work well.

0 Karma

Ayn
Legend

Doh, of course 🙂 Thanks for filling that in.

0 Karma

Ayn
Legend

You could just skip the top clause and use stats directly:

index=prod sourcetype="odr" | stats count,avg(time_taken) by cs_uri_stem | sort - count

The only caveat is that this will return results for all URL's, not just the top 20. However with the sort you'll get the top 20 first in the results anyhow.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...