Hi,
I have a requirement where we need to categorise events based on the url into 4 separate categories, then calculate the average response time for each category. Finally we want to display all the averages by category together in a stats table, is there an easy way to do this?
Hi @ebs,
the problem is to find a rule to categorize urls, if e.g. you have this rule:
in the uri field you have
localhost/* --> Cat. A
community/* --> Cat. B
splunk.com/ --> Cat. C
others--> Cat. D
you can try something like this:
index=your_index
| eventstats count As total
| eval type="D"
| eval type=case(match(uri,"localhost"),"A",match(uri,"community"),"B", match(uri,"splunk.com"),"C")
| stats avg(response_time) AS response_time count values(total) AS total BY type
| eval perc=round(count/total*100,2)
| table type response_time perc
Ciao.
Giuseppe
Hi @ebs,
the problem is to find a rule to categorize urls, if e.g. you have this rule:
in the uri field you have
localhost/* --> Cat. A
community/* --> Cat. B
splunk.com/ --> Cat. C
others--> Cat. D
you can try something like this:
index=your_index
| eventstats count As total
| eval type="D"
| eval type=case(match(uri,"localhost"),"A",match(uri,"community"),"B", match(uri,"splunk.com"),"C")
| stats avg(response_time) AS response_time count values(total) AS total BY type
| eval perc=round(count/total*100,2)
| table type response_time perc
Ciao.
Giuseppe
Hi @ebs,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉