Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate an IIS search for how many transactions have hit a single server?

Curman
New Member
‎06-14-2017 12:02 PM

New to Splunk and am having trouble writing a search that would tell me how many IIS transactions have hit a single server over one month with one minute granularity. I would also like this to be "visualized" with the average response time.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎06-14-2017 05:01 PM

OK, great. Can you help us with a bit more information?

1) You do have the events coming into Splunk already?
2) And you can find them in a search?
3) Your issue is really how to transform those raw events into that particular search/report?

If that's all true, then..

4) Are the events parsed into fields properly (e.g. is the sourcetype set right, so that if you run a search in "Verbose" mode you can see fields like c_ip and time_taken ) ?

Lastly, then, what do you mean by ...

5) How would you define an "IIS transaction?"

6) How does that interact with "time_taken"?
7) 1 minute stats over 30 days is ~45,000 points. Can you display that? I can't.

It's possible something as simple as 

sourcetype=iis | bin span=1m _time | stats avg(time_taken) by _time

and switching to your Visualization tab and playing with some things in there. Indeed, try the above search over the past 4 hours or so and tell me what it gets you...

If that actually works for your needs, I'll move this to an answer and we'll be done. But I think you'll have an answer in here that either a) says we need a bit more work or b) need to redefine the problem.

Happy Splunking!
-Rich

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎06-14-2017 05:01 PM

OK, great. Can you help us with a bit more information?

1) You do have the events coming into Splunk already?
2) And you can find them in a search?
3) Your issue is really how to transform those raw events into that particular search/report?

If that's all true, then..

4) Are the events parsed into fields properly (e.g. is the sourcetype set right, so that if you run a search in "Verbose" mode you can see fields like c_ip and time_taken ) ?

Lastly, then, what do you mean by ...

5) How would you define an "IIS transaction?"

6) How does that interact with "time_taken"?
7) 1 minute stats over 30 days is ~45,000 points. Can you display that? I can't.

It's possible something as simple as 

sourcetype=iis | bin span=1m _time | stats avg(time_taken) by _time

and switching to your Visualization tab and playing with some things in there. Indeed, try the above search over the past 4 hours or so and tell me what it gets you...

If that actually works for your needs, I'll move this to an answer and we'll be done. But I think you'll have an answer in here that either a) says we need a bit more work or b) need to redefine the problem.

Happy Splunking!
-Rich

0 Karma
Reply
Solved! Jump to solution

Curman
New Member
‎06-21-2017 01:27 PM

Thank you, this has given me the start that I needed to achieve what I'm looking for.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-14-2017 12:22 PM

Show a few sample events.

0 Karma
Reply
Solved! Jump to solution

Curman
New Member
‎06-21-2017 01:26 PM

Thank You but I don't think I can post examples from our logs without heavily editing them

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...