Solved: range(_time) help ??

rakesh_498115 · ‎11-15-2012

I have bulk of 1 lakh events in my logs . I have used the stats(_range) command to calculate the average response time of all the transactions , but then for few transactions i couldnt see the proper values coming .. i.e if i use the transcation command i am getting the desired results but its taking too much of time .. so i tried with stats range(_time) but its not getting correct results..

Stats Query ::

index="apps" ("Request document" OR "Response document") | stats range(_time) as duration by Product

This Query is not working i.e showing improper stats . so i have used the transaction query as below but its taking so much of time to execute.

Transaction Query ::

index="apps" ("Request document" OR "Response document") | stats avg(_time) as duration by Product

Please help Or Suggest a better way to calucate the avg response time..i have huge amount of requests per hr say 1 lakh nd in need the stats for over 24 hrs period.

index="apps" ("Request document" OR "Response document") | transaction keepevicted=true Product | table Product,duration

Ayn · ‎11-15-2012

A few things. First of all, what is "lakh" and "nd"?

Secondly, it's no wonder that your stats query isn't working - you're taking an average value of the events' epoch timestamps, which is in no way related to durations. Judging by your transaction query that is reportedly working I don't see why you want an average value in your stats query? To get the duration by product, you could get the last _time value and subtract the first _time value from that.

... | stats earliest(_time),latest(_time) by Product | eval duration=latest(_time)-earliest(_time) | table Product,duration

View solution in original post

martin_mueller · ‎11-15-2012

avg(_time) calculates the average of the event timestamps, not any kind of time delay.

Assuming each Product has exactly one request and response event, you can compute the difference between the maximum and minimum _time to get the response time.

Concerning the transaction run duration, you can fine-tune that by setting maxspan/maxpause.

Ayn · ‎11-15-2012

A few things. First of all, what is "lakh" and "nd"?

Secondly, it's no wonder that your stats query isn't working - you're taking an average value of the events' epoch timestamps, which is in no way related to durations. Judging by your transaction query that is reportedly working I don't see why you want an average value in your stats query? To get the duration by product, you could get the last _time value and subtract the first _time value from that.

... | stats earliest(_time),latest(_time) by Product | eval duration=latest(_time)-earliest(_time) | table Product,duration

rakesh_498115 · ‎11-17-2012

Even the mentioned query worked for me Ayn..thanx

Ayn · ‎11-16-2012

Ah yes, range would do it as well. I AM trying to help you, but I don't see any response to what I suggested. What's not working? What are expected results, and what are you in fact getting?

rakesh_498115 · ‎11-15-2012

Hi Ayn,

Its not average actually , i need the time difference between the request and respone . so i have used range(_time) .. but this is not giving proper results .can you pls help me on this .

martin_mueller · ‎11-15-2012

One lakh is 100000.

range(_time) help ??

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!