Hi All,
I am writing various Splunk searches to get result set from iis logs. For each search, I have different where conditions and custom conditions. I am using the appendcols command to combine the searches and display it in a table format.
Now the issue is: When I am running a long search, it's taking a very long time and results are not matching within individual Splunk search statements. I am thinking this is because of subsearch timeout limitations. Please provide me a better solution for my search below:
index=main sourcetype=iis| where sc_status!="401" AND cs_uri_stem LIKE "%aspx%" |stats avg(time_taken) as "Avg. Response Time .aspx (ms)"|appendcols[search index=main sourcetype=iis |where sc_status!="401" |stats avg(time_taken) as "Avg. Response Time All (ms)"]|appendcols[search index=main sourcetype=iis |where sc_status!="401" |stats avg(time_taken) as "Avg. Response Time All (ms)"]|appendcols[search index=main sourcetype=iis |eval csuri=lower(cs_uri_stem)| where csuri="/pages/default.aspx" AND sc_status!="401"|stats count(eval(time_taken>4000)) as "Page Views > 4 seconds" count(eval(time_taken>2500)) as "Page Views > 2.5 seconds" ]|appendcols[search index=main sourcetype=iis |eval csuri=lower(cs_uri_stem)| Where csuri="/view/pages/default.aspx" AND sc_status!="401"|stats avg(time_taken) as "Page Avg. Response Time (ms)", count as "Page views"]| appendcols[search index=main sourcetype=iis| eval csuri=lower(cs_uri_stem)| eval csuri= lower(cs_uri_stem)| where cs_uri_stem LIKE "%aspx%"| stats count(s_computername) as "# of .aspx Hits"]|appendcols[search index=main sourcetype=iis|where time_taken > 4000 AND cs_uri_stem LIKE "%aspx%"|stats count(s_computername) as "# of .aspx Hits > 4 seconds"] |appendcols[search main=index sourcetype=iis|where time_taken > 2500 AND cs_uri_stem LIKE "%aspx%" |stats count(s_computername) as "# of .aspx Hits > 2.5 seconds"]|appendcols[search index=main sourcetype=iis|where sc_status!="401" AND cs_uri_stem LIKE "%aspx%" |stats avg(time_taken) AS "Avg. Response Time .aspx (ms)"]| appendcols[search index=main sourcetype=iis| where sc_status =503 |eval u_name =replace(cs_username, "0#","")| eval u_name1= replace(u_name, ".w|","")|eval u_name2=replace(u_name1,"\|","")|stats dc(u_name2) AS "Unique User 503", count(s_computername) as "Total 503 Errors"]|appendcols[search index=main sourcetype=iis| eval u_name =replace(cs_username, "0#","")| eval u_name1= replace(u_name, ".w|","")|eval u_name2=replace(u_name1,"\|","")|stats count(eval(time_taken>4000)) as "hitsfoursecond", count(eval(time_taken>2500)) as "hitstwopointfiveseconds", dc(u_name2) AS "Unique Users", count(s_computername) as "ElementsHits" |eval resultset= (hitsfoursecond/ElementsHits) *100 |eval resultset1=(hitstwopointfiveseconds/ElementsHits)*100 |rename resultset as "% Hits > 4 seconds" resultset1 as "% Hits > 2.5 seconds" hitsfoursecond as "# of Hits > 4 seconds" hitstwopointfiveseconds as "# of Hits > 2.5 seconds" |table "Unique Users","ElementsHits","# of Hits > 4 seconds", "% Hits > 4 seconds", "% Hits > 2.5 seconds", "# of Hits > 2.5 seconds"]|appendcols[search index=main sourcetype=iis|eval csuri= lower(cs_uri_stem)| where csuri ="/view/pages/default.aspx" |eval u_name =replace(cs_username, "0#","")| eval u_name1= replace(u_name, ".w|","")|eval u_name2=replace(u_name1,"\|","")|stats dc(u_name2) as "YHP Unique User", count(s_computername) AS "YHP Elements/Hit"]
Your help is appreciated.
... View more