New to Splunk and am having trouble writing a search that would tell me how many IIS transactions have hit a single server over one month with one minute granularity. I would also like this to be "visualized" with the average response time.
OK, great. Can you help us with a bit more information?
1) You do have the events coming into Splunk already?
2) And you can find them in a search?
3) Your issue is really how to transform those raw events into that particular search/report?
If that's all true, then..
4) Are the events parsed into fields properly (e.g. is the sourcetype set right, so that if you run a search in "Verbose" mode you can see fields like c_ip
and time_taken
) ?
Lastly, then, what do you mean by ...
5) How would you define an "IIS transaction?"
6) How does that interact with "time_taken"?
7) 1 minute stats over 30 days is ~45,000 points. Can you display that? I can't.
It's possible something as simple as
sourcetype=iis | bin span=1m _time | stats avg(time_taken) by _time
and switching to your Visualization tab and playing with some things in there. Indeed, try the above search over the past 4 hours or so and tell me what it gets you...
If that actually works for your needs, I'll move this to an answer and we'll be done. But I think you'll have an answer in here that either a) says we need a bit more work or b) need to redefine the problem.
Happy Splunking!
-Rich
OK, great. Can you help us with a bit more information?
1) You do have the events coming into Splunk already?
2) And you can find them in a search?
3) Your issue is really how to transform those raw events into that particular search/report?
If that's all true, then..
4) Are the events parsed into fields properly (e.g. is the sourcetype set right, so that if you run a search in "Verbose" mode you can see fields like c_ip
and time_taken
) ?
Lastly, then, what do you mean by ...
5) How would you define an "IIS transaction?"
6) How does that interact with "time_taken"?
7) 1 minute stats over 30 days is ~45,000 points. Can you display that? I can't.
It's possible something as simple as
sourcetype=iis | bin span=1m _time | stats avg(time_taken) by _time
and switching to your Visualization tab and playing with some things in there. Indeed, try the above search over the past 4 hours or so and tell me what it gets you...
If that actually works for your needs, I'll move this to an answer and we'll be done. But I think you'll have an answer in here that either a) says we need a bit more work or b) need to redefine the problem.
Happy Splunking!
-Rich
Thank you, this has given me the start that I needed to achieve what I'm looking for.
Show a few sample events.
Thank You but I don't think I can post examples from our logs without heavily editing them