Hi all. I’m kind of new to Splunk. I have data by day - this is the response time for each API call by day. I want to run that automatically every day, collecting it into a summary index. (I cannot r...
See more...
Hi all. I’m kind of new to Splunk. I have data by day - this is the response time for each API call by day. I want to run that automatically every day, collecting it into a summary index. (I cannot run this by month since it is too much data). Then, every month, I want to use the summary index to calculate the 95th percentile, average, stan dev, of all the response times by each API call. The summary index will allow me to do that faster. Although I am not sure of the mechanics on how to use.
For instance, do I need to readd my filters for the monthly pull?
Does the below so far look correct to pull in all information (events)?
So, I want to understand if I am doing this correctly. I have the below SPL by day:
index=virt [other search parameters] | rename msg.sessionId as sessionId | rename msg.apiName as apiName | rename msg.processingTime as processingTime | rename msg.responseCode as responseCode | eval session_id= coalesce(a_session_id, sessionId) | fields … | stats values(a_api_responsetime) as responsetime, values(processingTime) as BackRT by session_id | eval PlatformProcessingTime = (responsetime - BackRT) | where PlatformProcessingTime>0 | collect index=virt_summary
Then I have the below SPL by month:
index=virt_summary | bucket _time span=1mon | stats count as Events, avg(PlatformProcessingTime), stdev(PlatformProcessingTime), perc95(PlatformProcessingTime) by _time
Any assistance is much appreciated! Let me know if you need more clarification. The results are what I have attached, so it looks like it is not working properly. I tested the results by day.