Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

index=** source_type=** cf_app_name=*** api_call="*"

Scorpion
New Member
‎07-08-2021 11:07 PM

index=**** source_type=** cf_app_name=** api_call="*" | where like (api_call, "%xyz%")
| table _time,response_code, duration,api_call | bin _time span=1d | appendpipe [ | chart count over api_call by response_code ] | stats sum(*) as *,count as Number_Of_Calls,perc95(duration) as perc95_duration,avg(duration) as avg_duration by api_call
| eval perc95_duration=round(perc95_duration,3),avg_duration=round(avg_duration,3)
| sort - _time | fields - duration,response_code | table api_call,_time,*,Number_Of_Calls

 

 

my _time column is always blank. Either _time or response codes are filled in.

 

 

 

Labels (1)
Labels
Tags (4)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-08-2021 11:17 PM

Hi @Scorpion 

Can you try this, when you did stats the _time has gong as it associated to event. You have to aggregation functions to get the _time or group by _time, api_call. Here i have used aggregate function, renamed _time to time, And converted to human readable.

index=**** source_type=** cf_app_name=** api_call="*" 
| where like (api_call, "%xyz%") 
| table _time,response_code, duration,api_call 
| bin _time span=1d 
| appendpipe 
    [| chart count over api_call by response_code ] 
| stats sum(*) as *,count as Number_Of_Calls,perc95(duration) as perc95_duration,avg(duration) as avg_duration, earliest(_time) as time by api_call
| convert ctime(time) as time
| eval perc95_duration=round(perc95_duration,3),avg_duration=round(avg_duration,3) 
| sort - time 
| fields - duration,response_code 
| table api_call,time,*,Number_Of_Calls

---

An upvote would be appreciated and Accept solution if this reply helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...