I have a Splunk search that extracts from the events for various queries executed and time taken by them. I want to find the top 10 queries in terms of total runtime irrespective of the count of runs. Currently am using this:
index=web_query Query!="" OR ReqEnd!="" OR ReqEnd!="*health" | eval Duration = round(ExecMs/60000,2) | rex field=Query mode=sed "s/\/\*.*\*\/\s*//g"| rex field=Query mode=sed "s/\d/X/g" | rex field=Query mode=sed "s/'.*'/''/g" | transaction Id | stats sum(Duration) as TotalDuration by Query | sort -TotalDuration"
But this is not giving me the correct result. For eg, there is one query that took 40 minutes, it is reflected in the 4 hour time span, but not in the 24 hour.
↧