Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: count events per user, showing average latency
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am attempting to count the number of times a user has made a web server 'hit', and also display the average latency of that/those users.
Search Query:
sourcetype=www NOT hck=* user=< user > | stats avg(time_taken) as "latency(1s)" | stats count(user) by latency(1s)
I can't seem to get the fields to come out right, either I get just the latency, or the count and the latency without the user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
should work,
sourcetype=www NOT hck=* user=< user > | eventstats avg(time_taken) as latency | stats count(user) by latency | rename latency as "latency (1s)"
UPDATE:
perhaps this is what you're after:
sourcetype=www NOT hck=* user=* | stats count as hits, avg(time_taken) as "latency(1s)" by user
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
should work,
sourcetype=www NOT hck=* user=< user > | eventstats avg(time_taken) as latency | stats count(user) by latency | rename latency as "latency (1s)"
UPDATE:
perhaps this is what you're after:
sourcetype=www NOT hck=* user=* | stats count as hits, avg(time_taken) as "latency(1s)" by user
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually I just tweeked this a little bit, but you were pretty much spot on. Here is the final search:
sourcetype=www NOT hck=* | eval user=user."@".domain | stats count as hits, avg(time_taken) as "avg latency(1s)" by user | sort - "avg latency(1s)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or wait. That does not seem right. What do you really want? Provide sample events and sketch of desired output, please
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
