I have logs that I'm trying to analyze and get the daily average latency per URL. I'll provide a sample log, and what I'd like as the resulting table.
Oct 9 10:46:10 x.x.x.x Hostname="Test",RequestStartTimestamp="1412873168",ResponseStartTimestamp="1412873170",URLString="/TEST/api/Referral/",ClientIP="x.x.x.x",MethodString="GET",ResponseCode="200",ServerLatency="2304",RequestSize="1068",ResponseSize="17287"
URLString1 ServerLatencyMax=10 avg(ServerLatency)=7
URLString2 ServerLatencyMax=15 avg(ServerLatency)=9
URLString3 ServerLatencyMax=12 avg(ServerLatency)=3
URLString4 ServerLatencyMax=11 avg(ServerLatency)=4
URLString5 ServerLatencyMax=1 avg(ServerLatency)=1
URLString1 ServerLatencyMax=10 avg(ServerLatency)=7
URLString2 ServerLatencyMax=10 avg(ServerLatency)=7
URLString3 ServerLatencyMax=10 avg(ServerLatency)=7
URLString4 ServerLatencyMax=10 avg(ServerLatency)=7
URLString5 ServerLatencyMax=10 avg(ServerLatency)=7
I've been trying something along the lines of:
index=test sourcetype=test_log ResponseCode="200" | stats avg(ServerLatency) as AVG_ServerLatency by URLString | sort AVG_ServerLatency | reverse
This will get me the average for whatever time period I'm searching for, per URL. But I'd like to separate out by day.
Try this
index=test sourcetype=test_log ResponseCode="200" | eval Date=strftime(_time,"%d-%b-%Y")| stats max(ServerLatency) as MaxServerLatency, avg(ServerLatency) as AVGServerLatency by Date,URLString | sort Date, -MaxServerLatency |streamstats count as rank by Date | where rank < 6
Try this
index=test sourcetype=test_log ResponseCode="200" | eval Date=strftime(_time,"%d-%b-%Y")| stats max(ServerLatency) as MaxServerLatency, avg(ServerLatency) as AVGServerLatency by Date,URLString | sort Date, -MaxServerLatency |streamstats count as rank by Date | where rank < 6
Very close to perfect, thanks. I ended up changing the sort based around AVGServerLatency instead of the Max, but otherwise it works great. Appreciate it.