How get max count of request in time in splunk

0
votes

Hi I'm developing rails web application with Solr search engine inside. The path to get search results is '/search/results'.

Users makes many requests when searching for something and I am in need of getting max count of intime search requests for all time (to check need it to do some optimization or increase RAM etc.). I know that there are peak times, when loading is critical and search works slowly.

I use Splunk service to collect app logs and it's possible to get this requests count from logs, but I don't know how write correct Splunk query to get data which I need.

So, how can I get max number of per 1hour requests to '/search/results' path for date range?

Thanks kindly!

1
performancesearchloggingmonitoringsplunk

1 Answers

1
votes

If you can post your example data & or your sample search, its much easier to figure out. I'll just post a few examples of I think might lead you in the right direction.

Let's say the '/search/results' is in a field called "uri_path".

earliest=-2w latest=-1w sourcetype=app_logs uri_path='/search/results' 
| stats count(uri_path) by date_hour

would give you a count (sum) per hour over last week, per hour.

earliest=-2w latest=-1w sourcetype=app_logs uri_path=*
| stats count by uri_path, hour

would split the table (you can think 'group by') by the different uri_paths.

You can use the time-range picker on the right side of the search bar to use a GUI to select your time if you don't want to use the time range abbreviations, (w=week, mon=month, m=minute, and so on).

After that, all you need to do is | pipe to the stats command where you can count by date_hour (which is an automatically generated field).

NOTE: If you don't have the uri_path field already extracted, you can do it really easily with the rex command.

... | rex "matching stuff before uri path (?<uri_path>\/\w+\/\w+) stuff after'
| uri_path='/search/results'
| stats count(uri_path) by date_hour

In case you want to learn more:

  1. Stats Functions (in Splunk)
  2. Field Extractor - for permanent extractions