Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show average response time of top 20 URLs

herbie
Path Finder
‎01-28-2011 07:15 AM

Hey Guys, I thought this would be simple, but doesn't seem so. From our HTTP logs, I want to get a list of the top 20 hit URLs and show the average response time for each of those within the one search.

Something like this:

index=prod sourcetype="odr" | top limit=20 cs_uri_stem | stats avg(time_taken) by cs_uri_stem

However, the time_taken field doesn't get passed to the stats command so it displays blank.

Basically, this is the output I want to show:

I was looking at the documentation on subsearches, but I can't figure out how to do it with that either.

Any ideas?

Thanks in advance.

Tags (1)
Reply
2 Solutions
Solved! Jump to solution
Solution

Ayn
Legend
‎01-28-2011 07:49 AM

You could just skip the top clause and use stats directly:

index=prod sourcetype="odr" | stats count,avg(time_taken) by cs_uri_stem | sort - count

The only caveat is that this will return results for all URL's, not just the top 20. However with the sort you'll get the top 20 first in the results anyhow.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 04:34 PM

There are a few ways to do this, but this is probably the best:

index=prod sourcetype="odr" earliest=-1h [search index=prod sourcetype="odr" earliest=-1h | top limit=20 cs_uri_stem | fields cs_uri_stem] | stats avg(time_taken) by cs_uri_stem

To add to Ayn's answer:

index=prod sourcetype="odr" | stats count,avg(time_taken) by cs_uri_stem | sort - count | head 20

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 04:34 PM

There are a few ways to do this, but this is probably the best:

index=prod sourcetype="odr" earliest=-1h [search index=prod sourcetype="odr" earliest=-1h | top limit=20 cs_uri_stem | fields cs_uri_stem] | stats avg(time_taken) by cs_uri_stem

To add to Ayn's answer:

index=prod sourcetype="odr" | stats count,avg(time_taken) by cs_uri_stem | sort - count | head 20
Reply
Solved! Jump to solution

herbie
Path Finder
‎01-31-2011 06:28 AM

Thanks for the responses guys, both solutions work well.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎01-28-2011 08:21 PM

Doh, of course 🙂 Thanks for filling that in.

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎01-28-2011 07:49 AM

You could just skip the top clause and use stats directly:

index=prod sourcetype="odr" | stats count,avg(time_taken) by cs_uri_stem | sort - count

The only caveat is that this will return results for all URL's, not just the top 20. However with the sort you'll get the top 20 first in the results anyhow.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...