1) I want to count the number of occurences of the HTTP URL with p(95) response time for url invocation:
https://example.net/v1/abc/xyz with the response code as 200 or 500
2) The response time is the difference of time-stamp b/w line 6 & 3.
3) Both the URL invocation & Status code occurs for the same thread which is Thread-30_Server_1 and always should be the next occurences
If you see both event 1 & event 2 occur with the same thread but the response status code should always be sequential.
So the splunk search should return event 1 with Status as 200 where-as event 2 with Status as 350
Event 1:
Line1) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) :Url in else part is:https://example.net/v1/abc/xyz
Line2) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line3) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) HTTP url : https://example.net/v1/abc/xyz
Line4) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) Body: [{"itemID":"42650750083","uom":"EACH","toZipCode":"112173111","qty":1,"channel":"dotcom"}]
Line5) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line6) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status Code is:200
Line7) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status message is:"Success"
Line8) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) Exit call and 3
Event 2:
Line101) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) Enter call with 5 attributes
Line102) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line103) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) HTTP url : https://example.net/v2/mmm/nnn
Line104) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line105) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################
Line106) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Output from Server
Line107) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) {"status":350,"message":"Success","body":[{"shortageQty":0,"reservedQty":1,"partiallyReservedQty":0,"problemType":"SUCCESS"}}]}
Line108) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################
Line109) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status Code is:350
Line110) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status message is:"Success"
Line111) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Exit call
Assuming they were individual events before the transaction
, get rid of the transaction
and do it this way...
index=foo ("Status Code is" OR "HTTP")
| rename COMMENT as "extract thread, url and status, frop all other fields but _time"
| rex "INFO\s+\((?<myThread>[^:\)]*:)\)\s*(HTTP url : (?<myURL>.*?)\s+?|:Status Code is:(?<myStatus>\d{3})\s+?)"
| fields _time myThread myURL myStatus
| rename COMMENT as "sort into thread /time order then roll URL and start time foreward onto response record"
| sort 0 myThread _time
| streamstats current=f last(_time) as lasttime last(myURL) as lastURL by myThread
| rename COMMENT as "Drop all records but the response, calculate response time"
| where isnotnull(myStatus)
| eval resptime = _time - lasttime
This should give records that look like this
| fields _time myThread lastURL myStatus resptime
And then you can run them into this...
| stats avg(resptime) as avgresp p95(resptime) as p95resp by lastURL
Is that one event with 8 lines, or is that 8 events that have been rolled together using transaction
?
The code is simpler in the first case.