Splunk Search

How to get average page size from access logs

xvxt006
Contributor

Hi, From the access logs, i am getting the commands (part of URI) and their execution count in a tabular format. I want to add average page size to it. I am able to extract the page size individually by adding a field. But how can i include it in the same query so that i can get all stats with same query.

Current query

sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | top limit=5000 command

For example, right now i have the output looks like this.

Command Count Percentage
Search 14000 8%
Home 7000 4%

I would like to have the output like this

Command Count Percentage AvgPageSize
Search 14000 8% 60k
Home 7000 4% 50k

How can i do this? Any help is appreciated 🙂

Tags (1)
0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

I think you will be wanting appendcols command. The problem is that you have to different operations you want (top and stats). It makes the search longer, and runs 2 searches, but with different styles of data stats. Try this:

sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | top limit=5000 command | appendcols [search sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | stats avg(PageSize) as AvgPageSize by command]

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Appendcols

View solution in original post

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

I think you will be wanting appendcols command. The problem is that you have to different operations you want (top and stats). It makes the search longer, and runs 2 searches, but with different styles of data stats. Try this:

sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | top limit=5000 command | appendcols [search sourcetype=accesscombinedwcookie host=prgwc* | rex field=uri "((?:/wrewwee/)|(?:/werwerww/eww/))(?[a-zA-Z0-9]+)" | stats avg(PageSize) as AvgPageSize by command]

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Appendcols

0 Karma

xvxt006
Contributor

Hi, when i try to drill down, i am getting this message "PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'appendcols' command". any idea why we would get this?

0 Karma

xvxt006
Contributor

Awesome. I am getting the results on the first look they are looking good. Thanks for your help.

0 Karma

Ayn
Legend

If you use the stats command, you can just add this:

... | stats count,avg(PageSize) as AvgPageSize by command

(assuming you have the page size extracted to a field called "PageSize")

0 Karma

Ayn
Legend

Yeah you can't use both. The caveat with not using the top command is that you won't get the percent field. There are ways of calculating it with stats as well, though it's a bit more work than with top. Do you want the percent field?

0 Karma

xvxt006
Contributor

Thanks Ayn. if i have both stats and top, results are not looking right. If i took out top, i don't see percentage for the commands. Any suggestions?

| stats count, avg(PageSize) as AvgPageSize by command | top limit=5000 command

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...