如何使用 Splunk 搜索中值延迟超过 3 秒的交易类型
How to Splunk search for transaction types that have a median latency above 3 seconds
我有一个显示延迟数据的 table,现在我想编写一个警报查询,当请求(方法 + uri)的中值高于 3000 毫秒(3 秒)时发出警报
我用于延迟 table 的查询是:
index=ms-app environment=prod AND "*"
| eval uri=replace(mvindex(split('request.uri', "?"), 0), "\/\d+[-+\w]+", "/:n"), methodOverride='request.headers.X-HTTP-Method-Override'
| eval methodOverrideStr = if(isnull(methodOverride) OR methodOverride=="null", "", "(" + methodOverride + ")")
| eval request = 'request.method' + methodOverrideStr + " " + uri + " " + 'response.httpStatusCode'
| stats
min(stats.overallResponseTimeInMilliSeconds) as "Min",
avg(stats.overallResponseTimeInMilliSeconds) as avg_latency,
max(stats.overallResponseTimeInMilliSeconds) as "Max",
median(stats.overallResponseTimeInMilliSeconds) as "Median",
perc95(stats.overallResponseTimeInMilliSeconds) as "95th %",
count(request) as "# req total", count(eval('stats.overallResponseTimeInMilliSeconds' > 3000)) as "#>3s",
count(eval('stats.overallResponseTimeInMilliSeconds' > 5000)) as "#>5s",
count(eval('stats.overallResponseTimeInMilliSeconds' > 10000)) as "#>10s" by request
| eval "Avg" = round(avg_latency, 0)
| table request, "Median"
这会产生一个 table 显示基于方法 + uri 的中值延迟
例如:
- POST /第一个端点 1000
- GET /second-endpoint 2000
- 删除/第三端点 1500
- POST/第四端点4000
- 获取/第五端点 4500
现在我正在尝试创建一个查询,该查询将仅显示具有高于 3 秒的高中值延迟的方法 +uris,以便我可以创建警报,以提醒 splunk 哪些端点具有高延迟
这是我试过的:
index=ms-app environment=prod AND "*"
| eval uri=replace(mvindex(split('request.uri', "?"), 0), "\/\d+[-+\w]+", "/:n"), methodOverride='request.headers.X-HTTP-Method-Override'
| eval methodOverrideStr = if(isnull(methodOverride) OR methodOverride=="null", "", "(" + methodOverride + ")")
| eval request = 'request.method' + methodOverrideStr + " " + uri + " " + 'response.httpStatusCode'
| stats
median(stats.overallResponseTimeInMilliSeconds) as "Median"
| table request, "Median" > 3000
应该显示这个:
- POST/第四端点4000
- 获取/第五端点 4500
但是它只显示与第一个查询相同的结果
使用 where 命令根据字段值过滤事件。
... | where Median > 3000
| table request, Median
我有一个显示延迟数据的 table,现在我想编写一个警报查询,当请求(方法 + uri)的中值高于 3000 毫秒(3 秒)时发出警报
我用于延迟 table 的查询是:
index=ms-app environment=prod AND "*"
| eval uri=replace(mvindex(split('request.uri', "?"), 0), "\/\d+[-+\w]+", "/:n"), methodOverride='request.headers.X-HTTP-Method-Override'
| eval methodOverrideStr = if(isnull(methodOverride) OR methodOverride=="null", "", "(" + methodOverride + ")")
| eval request = 'request.method' + methodOverrideStr + " " + uri + " " + 'response.httpStatusCode'
| stats
min(stats.overallResponseTimeInMilliSeconds) as "Min",
avg(stats.overallResponseTimeInMilliSeconds) as avg_latency,
max(stats.overallResponseTimeInMilliSeconds) as "Max",
median(stats.overallResponseTimeInMilliSeconds) as "Median",
perc95(stats.overallResponseTimeInMilliSeconds) as "95th %",
count(request) as "# req total", count(eval('stats.overallResponseTimeInMilliSeconds' > 3000)) as "#>3s",
count(eval('stats.overallResponseTimeInMilliSeconds' > 5000)) as "#>5s",
count(eval('stats.overallResponseTimeInMilliSeconds' > 10000)) as "#>10s" by request
| eval "Avg" = round(avg_latency, 0)
| table request, "Median"
这会产生一个 table 显示基于方法 + uri 的中值延迟 例如:
- POST /第一个端点 1000
- GET /second-endpoint 2000
- 删除/第三端点 1500
- POST/第四端点4000
- 获取/第五端点 4500
现在我正在尝试创建一个查询,该查询将仅显示具有高于 3 秒的高中值延迟的方法 +uris,以便我可以创建警报,以提醒 splunk 哪些端点具有高延迟 这是我试过的:
index=ms-app environment=prod AND "*"
| eval uri=replace(mvindex(split('request.uri', "?"), 0), "\/\d+[-+\w]+", "/:n"), methodOverride='request.headers.X-HTTP-Method-Override'
| eval methodOverrideStr = if(isnull(methodOverride) OR methodOverride=="null", "", "(" + methodOverride + ")")
| eval request = 'request.method' + methodOverrideStr + " " + uri + " " + 'response.httpStatusCode'
| stats
median(stats.overallResponseTimeInMilliSeconds) as "Median"
| table request, "Median" > 3000
应该显示这个:
- POST/第四端点4000
- 获取/第五端点 4500
但是它只显示与第一个查询相同的结果
使用 where 命令根据字段值过滤事件。
... | where Median > 3000
| table request, Median