Hi,
I am trying to pull data from iis logs. For retriving data from iis logs, I have used various eval statements,eventstats and stats functions.
Problem which I am seeing is, when I am using eventstats function in my query, I am seeing my resultset is differ. If I have not used eventsttats in query, I am getting proper result. Please suggest me on this.
Please find the query here:
index=main sourcetype=iis | eval aspx_time_taken=if(cs_uri_stem LIKE "%aspx%" AND sc_status!="401",time_taken,null()) | eval csuri_time_taken=if(lower(cs_uri_stem)="/pages/default.aspx" AND sc_status!="401",time_taken,null())
| eval page_time_taken=if(lower(cs_uri_stem)="/view/pages/default.aspx" AND sc_status!="401",time_taken,null()) | eval time_taken_not401=if(sc_status!="401",time_taken,null())
| eval s_computername_all=if(cs_uri_stem LIKE "%aspx%" ,s_computername,null()) | eval s_computername_4s=if(cs_uri_stem LIKE "%aspx%" AND time_taken > 4000 ,s_computername,null()) | eval s_computername_25s=if(cs_uri_stem LIKE "%aspx%" AND time_taken > 2500,s_computername,null()) | eval u_name =replace(cs_username, "0#","")| eval u_name1= replace(u_name, ".w|","")|eval u_name2=replace(u_name1,"\|","")
| eval u_name2_503=if(sc_status="503",u_name2,null()) | eval s_computername_503=if(sc_status="503",s_computername,null())|eval RPS=strftime(_time,"%Y-%m-%d %H:%M:%S")|eval RPS_Not401= if(sc_status!="401", RPS,null())| eventstats count(RPS) as RPS_Count by RPS |eventstats count(RPS_Not401) as RPS_Not401_Count by RPS_Not401
| eval hitsfoursecond=if(time_taken > 4000,1,0) | eval hitstwopointfiveseconds=if(time_taken > 2500,1,0) | eval u_name2_yhp=if(lower(cs_uri_stem)="/view/pages/default.aspx",u_name2,null()) | eval s_computername_yhp=if(lower(cs_uri_stem)="/view/pages/default.aspx",s_computername,null()) |stats avg(RPS_Count) as "Avg. Requests Per Second" , max(RPS_Count) as "Max Requests Per Second", avg(RPS_Not401_Count) as "Avg. Requests Per Second (excl 401)", max(RPS_Not401_Count) as "Max Requests Per Second (excl 401)" avg(aspx_time_taken) as "Avg. Response Time .aspx (ms)" avg(time_taken_not401) as "Avg. Response Time All (ms)" count(eval(csuri_time_taken>4000)) as "PageViewsfoureconds" count(eval(csuri_time_taken>2500)) as "PageViews_2point5_seconds" avg(page_time_taken) as "Standard Page Avg. Response Time (ms)" count(page_time_taken) as "Standard Page Views" avg(csuri_time_taken) as "Page Avg. Response Time (ms)", count(csuri_time_taken) as "Pageviews" count(s_computername_all) as "No_of_aspx_Hits" count(s_computername_4s) as "No_of_aspx_Hits_4_seconds" count(s_computername_25s) as "No_of_aspx_Hits_25_seconds" dc(u_name2_503) AS "Unique User 503", count(s_computername_503) as "Total 503 Errors" sum(hitsfoursecond) as "hitsfoursecond",sum(hitstwopointfiveseconds) as "hitstwopointfiveseconds" dc(u_name2) AS "Unique Users", count(s_computername) as "ElementsHits" dc(u_name2_yhp) as "YHP Unique User", count(s_computername_yhp) AS "YHP Elements/Hit"
|eval resultset= (hitsfoursecond/ElementsHits) *100 |eval resultset1=(hitstwopointfiveseconds/ElementsHits)*100 |eval resultset2=(PageViewsfoureconds/Pageviews)*100|eval resultset3=(PageViews_2point5_seconds/Pageviews)*100 |eval resultset4=(No_of_aspx_Hits_4_seconds/No_of_aspx_Hits)|eval resultset5=(No_of_aspx_Hits_25_seconds/No_of_aspx_Hits)|eval resultset6=(PageViewsfoureconds/hitsfoursecond) |rename resultset as "% Hits > 4 seconds" resultset1 as "% Hits > 2.5 seconds" hitsfoursecond as "# of Hits > 4 seconds" hitstwopointfiveseconds as "# of Hits > 2.5 seconds" resultset2 as "% Page Views > 4 seconds" resultset3 as "% Page Views > 2.5 seconds" PageViews as "Page Views" PageViewsfoureconds as "Page Views > 4 seconds" PageViews_2point5_seconds as "Page Views > 2.5 seconds" No_of_aspx_Hits as "# of .aspx Hits" No_of_aspx_Hits_4_seconds as "# of .aspx Hits > 4 seconds" No_of_aspx_Hits_25_seconds as "# of .aspx Hits > 2.5 seconds" resultset4 as "% .aspx Hits > 4 seconds" resultset5 as "% .aspx Hits > 2.5 seconds" resultset6 as "% Redirect Hits > 4 secs to Overall Hits > 4 secs"
↧