I wanted to see a detailed analysis of IIS logs in W3C (which is being fed to Splunk). I could not get all the available values. For some, may be I am not aware of their Splunk equivalent field. For example I used another light weight tool call Log Parser 2.2, I wrote the query to get the results: LogParser.exe -i:W3C "SELECT date, time, cs-uri-stem, sc-bytes, time-taken, cs(Referer) FROM 'C:\Documents and Settings\Administrator\Desktop\Travel Planners\Tasks\Orchestrator Performance RCA\ex120629.log' where cs-uri-stem like '%emreservationlist.asp%'" I wrote the following query in Splunk thinking it to be equivalent: host="trlpws003" AND cs_uri_stem ="*emreservationlist.asp" | fields cs_uri_stem, date, time, time_taken, cs_bytes, cs_referer_ The results, though similar, but the Splunk query did not retrieve any value for cs_referer_. Requesting your for the same, and also if possible tell the equivalent Splunk fields for the W3C fields. Thanks and Regards ... View more

I need to know the pages, along with the count of how many times their response time exceeded 100. I need the top 10 such pages ordered by their count. I wrote the following search query, but did not get success. Please help. ...| eval time_sec = round(time_taken/1000) | where time_sec > 100 | stats count as cnt by cs_uri_stem | sort cnt 10 - ... View more

I need to know the pages, along with the count of how many times their response time exceeded 100. I need the top 10 such pages ordered by their count. I wrote the following search query, but did not get success. Please help. ...| eval time_sec = round(time_taken/1000) | where time_sec > 100 | stats count as cnt by cs_uri_stem | sort cnt 10 - ... View more

I have a search query that reads as follows: .....| eval time_sec = round(time_taken/1000) | chart max(time_sec) as max_response_time by cs_uri_stem | where max_response_time > xx where .... gives a list of pages and sources, and xx is the time in figures. The search is programmed to take the last 7 day data (i.e., uses -7d). The output gives the pages where the max_response_time is greater than xx. It does not state how many times did the max_response_time cross xx. How can I tune the search query so that it gives me a count of how many times did the max response time of the page cross xx. Please note, the output should only list the pages whose max response time crossed xx at least once, and the remaining pages be ignored. ... View more

We want to schedule a search task based on some criteria. We need this to fire every Thursday midnight. In the schedule option, we find options like 5 mins, 12 hours, 24 hours, Saturday midnight, daily at 6 pm, etc. Could not find any option that would help me get a fired weekly on Thursday midnight. Are the above mentioned options configurable? If so, how? Maybe its possible if we use cron based, but we are not very familiar with it. Kindly help. ... View more

I have the following query: .... | eval time_sec = round(time_taken/1000) | chart max(time_sec) as max_response_time by cs_uri_stem The aim of the above is to return the maximum response time of the pages mentioned in the ... section. I want this query to be scheduled to run at midnight. Also, if the max_response_time of any page in the result set is higher than a value (say xx), it should alert by sending mails. How do I achieve this? ... View more

Hi, I have the following query: ... | eval time_sec = round(time_taken/1000) | chart max(time_sec) as max_response_time, min(time_sec) as min_response_time, avg(time_sec) as avg_response_time by cs_uri_stem This gives me avg. response time per page over a period of 7 days. One can see that there is a big difference between the min, and max response time. I want to see the distribution of response times of each of the pages at various times of the day. The grouping may be done in 2 hours gaps. eg., cs_uri_stem date/time min max avg x.aspx 27/02..2:00 1 5 3 y.aspx 27/02..4:00 1 4 3 : : ... View more

Hi, I would like to know the link, or any document where from I can learn how to write search queries for different report. Please help. ... View more

I see a different web page mentioned in the body of indexed log and another mentioned in its cs_uri_stem. For example, if I search with host="trlpws003" AND "CustomReport.aspx", I get a list of matching records. Now, when I search with host="trlpws003" AND cs_uri_stem ="*CustomReport.aspx" I do not find those rows. I need to find the response times of "CustomReport.aspx", but since cs_uri_stem ="CustomReport.aspx" is not working, I am not able to retrieve the same. Please help. ... View more

I see a different web page mentioned in the body of indexed log and another mentioned in its cs_uri_stem. For example, if I search with host="trlpws003" AND "OrchMain.aspx", I get a list of matching records. Now, when I search with host="trlpws003" AND cs_uri_stem ="*CustomReport.aspx" I do not find those rows. I need to find the response times of "*CustomReport.aspx", but since cs_uri_stem ="*CustomReport.aspx" is not working, I am not able to retrieve the same. Please help. ... View more