Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get top results based on throughput

samsplunkd
Path Finder
‎01-10-2013 12:25 AM

My dataset is like below:

01/05/2013 23:58:00 -0800, search_name=foo, search_now=1357459200.000, info_min_time=1357459080.000, info_max_time=1357459200.000, info_search_time=1357459425.558, Count=1, apiName="footest", appName="bartest", clRT=70, status=401, svRT=68

01/05/2013 23:58:00 -0800, search_name=foo, search_now=1357459200.000, info_min_time=1357459080.000, info_max_time=1357459200.000, info_search_time=1357459425.558, Count=10, apiName="footest", appName="bartest1", clRT=50, status=200, svRT=52

Each "apiName" can have multiple "appNames".
Successful txn means any event with "status" between 200-400.
Total Txns mean sum(Count)
What I would like to get is for each apiName, the timechart for # of Successful txns over time for "appName"s for which the total throughput is in top 5.

Say there are 7 appName like foo1, foo2, foo3, so on... and their respective TotalTxns is 11,10,9,8,7,6,5. So I would like to show for each apiName, timechart of # of successful txns for appNames (foo1 to foo5 as their throughout is in Top 5)...

apiName can be chosen by the user from the dropdown in the view.

Thanks for your help.

Reply

samsplunkd
Path Finder
‎01-14-2013 03:26 PM

I was able to fix this by doing something like below, in case anyone else is trying to solve similar issue....

index=foo search_name="bar" [search index=foo search_name="bar" apiName="$apiName$"| stats sum(Count) AS Total by appName|sort -Total | head 5 |table appName] | search status>199 AND status<400 apiName="footest" | timechart span=2m eval(sum(Count)) AS TotalSuccess by appName

Thanks Iguinn and Suda for your time.

0 Karma
Reply

Suda
Communicator
‎01-10-2013 08:17 PM

Hello,

What do you think my idea? I hope it helps you.

yoursearchhere apiName="$chosenAPIname$" status >= 200 AND status <=400
    [ search yoursearchhere apiName="$chosenAPIname$"
      | stats sum(Count) AS TotalTxns by appName
      | sort - TotalTxns
      | haed 5
      | fields + appName ]
| timechart sum(Count) as Total by appName

Thanks.

Reply

samsplunkd
Path Finder
‎01-13-2013 12:27 AM

Instead splunk view does something like this:

index=foo search_name="bar " [search index=foo search_name="bar"| stats sum(Count) AS Total by appName|sort -Total | head 5 |table appName] | search status>199 AND status<400 apiName=" footest" | timechart span=2m eval(sum(Count)) AS TotalSuccess by appName

This could work if subsearch can also start using the condition being used by main search. Any ideas?

Reply

samsplunkd
Path Finder
‎01-13-2013 12:27 AM

I could achieve this by doing something like below but there is a problem with this… In the view, I am using “intention” for apiName and splunk doesn’t put “apiName” at two places as shown below,

index=foo search_name="bar" apiName="footest" [search index=foo search_name="bar" apiName="footest" | stats sum(Count) AS Total by appName|sort -Total | head 5 |table appName] | search status>199 AND status<400 | timechart span=2m eval(sum(Count)) AS TotalSuccess by appName

Reply

lguinn2
Legend
‎01-10-2013 11:00 PM

Perhaps there is another way to deal with this in the view?

Reply

samsplunkd
Path Finder
‎01-10-2013 10:44 PM

Thanks for your reply Iguinn and Suda. problem with this approach is if this is used in the view, splunk doesnt add "apiName" in both the searches, rather adds only after the last search. This way sub search doesnt work for that api 😞

Reply

lguinn2
Legend
‎01-10-2013 02:26 AM

This should work. You may need to tweak the syntax of the search a bit...

yoursearchhere apiName="$chosenAPIname$" status >= 200 AND status <=400
| timechart limit=5 sum(Count) as Total by appName

Oops, based on your comment, it looks like you will need to do this:

yoursearchhere apiName="$chosenAPIname$" status >= 200 AND status <=400
    [ search yoursearchhere apiName="$chosenAPIname$" | addinfo | where _time>=info_min_time  
      | top limit=5 showcount=f showperc=f appName ]
| timechart sum(Count) as Total by appName

This creates a subsearch that identfies the top 5 appNames, and then inserts the list as a condition of the search.
I updated this answer to include "addinfo" - otherwise the subsearch runs over all time, which is almost certainly wrong. The addinfo command is cool because it gives the subsearch access to the time parameters of the outer search. That's what the info_min_time is: the earliest time for the outer search.

Reply

lguinn2
Legend
‎01-10-2013 09:48 PM

The update to the answer takes care of that, I hope. See the second search. Suda's answer is similar - it is replicating the functionality of the top command.

Reply

samsplunkd
Path Finder
‎01-10-2013 10:11 AM

Thanks for your reply. But this way "top 5 appName" won't be based on the total throughput but rather based on # of Successful Txns as you are filtering using status. (Total=success+failed)

Any other idea?

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...