- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to determine time of day when web requests...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm new to Splunk and I have a question about how to query the information I need.
I'm indexing IIS web server logs.
I would like to determine if the server is responding slowly at certain times of the day for the past few months. So, my question would be: how do I produce a graph showing average and/or max request times (time_taken) for each hour? The graph would have 24 bars (or 48 bars in pairs of 2 if showing max and avg together) representing the hours of the day and the query would control how many days that graph represents.
Thanks for your help! So far, so good with Splunk!
- Corey
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) change field names and values below as necessary, but using either 'report builder' or the 'advanced charting' view, run the following.
sourcetype=access_combined | chart avg(request_time) max(request_time) over date_hour | sort date_hour
This will give you a chart that has distribution of hours across the x-axis and the request times on the y-axis. You probably want to set it to use a line chart if it isnt already. And the sort command is just so the table rows come out in a sensible order.
Note: If your data is very sparse such that there can sometimes be no values at all for a given date_hour, columns may dissappear entirely from the table and chart.
2) A more advanced idea but in a similar vein, is to see the same chart split up into one line per day of the week. And since here im using individual weekday values as my 'split', i can no longer graph both average and max.
sourcetype=access_combined | chart avg(request_time) over date_hour by date_wday | fields date_hour sunday monday tuesday wednesday thursday friday saturday
(the fields clause at the end is to make it correctly order the columns in the table, and the legends in the chart)
3) and here's a search that anyone with a splunk instance can run. It shows the same kind of pattern but with throughput by splunk index x weekday x hour of day.
index=_internal source=*metrics.log group=per_index_thruput | chart sum(kb) over date_hour by date_wday | fields date_hour sunday monday tuesday wednesday thursday friday saturday
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) change field names and values below as necessary, but using either 'report builder' or the 'advanced charting' view, run the following.
sourcetype=access_combined | chart avg(request_time) max(request_time) over date_hour | sort date_hour
This will give you a chart that has distribution of hours across the x-axis and the request times on the y-axis. You probably want to set it to use a line chart if it isnt already. And the sort command is just so the table rows come out in a sensible order.
Note: If your data is very sparse such that there can sometimes be no values at all for a given date_hour, columns may dissappear entirely from the table and chart.
2) A more advanced idea but in a similar vein, is to see the same chart split up into one line per day of the week. And since here im using individual weekday values as my 'split', i can no longer graph both average and max.
sourcetype=access_combined | chart avg(request_time) over date_hour by date_wday | fields date_hour sunday monday tuesday wednesday thursday friday saturday
(the fields clause at the end is to make it correctly order the columns in the table, and the legends in the chart)
3) and here's a search that anyone with a splunk instance can run. It shows the same kind of pattern but with throughput by splunk index x weekday x hour of day.
index=_internal source=*metrics.log group=per_index_thruput | chart sum(kb) over date_hour by date_wday | fields date_hour sunday monday tuesday wednesday thursday friday saturday
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow! Thanks, Nick. I really appreciate it!
- Corey
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
