- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to generate an IIS search for how many tra...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New to Splunk and am having trouble writing a search that would tell me how many IIS transactions have hit a single server over one month with one minute granularity. I would also like this to be "visualized" with the average response time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, great. Can you help us with a bit more information?
1) You do have the events coming into Splunk already?
2) And you can find them in a search?
3) Your issue is really how to transform those raw events into that particular search/report?
If that's all true, then..
4) Are the events parsed into fields properly (e.g. is the sourcetype set right, so that if you run a search in "Verbose" mode you can see fields like c_ip and time_taken ) ?
Lastly, then, what do you mean by ...
5) How would you define an "IIS transaction?"
6) How does that interact with "time_taken"?
7) 1 minute stats over 30 days is ~45,000 points. Can you display that? I can't.
It's possible something as simple as
sourcetype=iis | bin span=1m _time | stats avg(time_taken) by _time
and switching to your Visualization tab and playing with some things in there. Indeed, try the above search over the past 4 hours or so and tell me what it gets you...
If that actually works for your needs, I'll move this to an answer and we'll be done. But I think you'll have an answer in here that either a) says we need a bit more work or b) need to redefine the problem.
Happy Splunking!
-Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, great. Can you help us with a bit more information?
1) You do have the events coming into Splunk already?
2) And you can find them in a search?
3) Your issue is really how to transform those raw events into that particular search/report?
If that's all true, then..
4) Are the events parsed into fields properly (e.g. is the sourcetype set right, so that if you run a search in "Verbose" mode you can see fields like c_ip and time_taken ) ?
Lastly, then, what do you mean by ...
5) How would you define an "IIS transaction?"
6) How does that interact with "time_taken"?
7) 1 minute stats over 30 days is ~45,000 points. Can you display that? I can't.
It's possible something as simple as
sourcetype=iis | bin span=1m _time | stats avg(time_taken) by _time
and switching to your Visualization tab and playing with some things in there. Indeed, try the above search over the past 4 hours or so and tell me what it gets you...
If that actually works for your needs, I'll move this to an answer and we'll be done. But I think you'll have an answer in here that either a) says we need a bit more work or b) need to redefine the problem.
Happy Splunking!
-Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this has given me the start that I needed to achieve what I'm looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Show a few sample events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You but I don't think I can post examples from our logs without heavily editing them
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
