Solved: count events per user, showing average latency

tmarlette · ‎10-30-2013

I am attempting to count the number of times a user has made a web server 'hit', and also display the average latency of that/those users.

Search Query:

sourcetype=www NOT hck=* user=< user > | stats avg(time_taken) as "latency(1s)" | stats count(user) by latency(1s)

I can't seem to get the fields to come out right, either I get just the latency, or the count and the latency without the user.

kristian_kolb · ‎10-30-2013

should work,

sourcetype=www NOT hck=* user=< user > | eventstats avg(time_taken) as latency | stats count(user) by latency | rename latency as "latency (1s)"

UPDATE:

perhaps this is what you're after:

sourcetype=www NOT hck=* user=* | stats count as hits, avg(time_taken) as "latency(1s)" by user

/k

View solution in original post

kristian_kolb · ‎10-30-2013

should work,

sourcetype=www NOT hck=* user=< user > | eventstats avg(time_taken) as latency | stats count(user) by latency | rename latency as "latency (1s)"

UPDATE:

perhaps this is what you're after:

sourcetype=www NOT hck=* user=* | stats count as hits, avg(time_taken) as "latency(1s)" by user

/k

tmarlette · ‎11-01-2013

Actually I just tweeked this a little bit, but you were pretty much spot on. Here is the final search:
sourcetype=www NOT hck=* | eval user=user."@".domain | stats count as hits, avg(time_taken) as "avg latency(1s)" by user | sort - "avg latency(1s)"

kristian_kolb · ‎10-30-2013

Or wait. That does not seem right. What do you really want? Provide sample events and sketch of desired output, please

count events per user, showing average latency

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...