I'm like to collect two pieces of information from wildfly access logs in a single summary index: the number of average requests per minute by URI **and** avg/mode/max request duration also by URI.
Here are the pertinent fields logged in each wildfly event:
- _time
- method
- uri
- time_taken
- host
My first query looked like this:
sourcetype=wildfly _logs |bucket _time span=1m | sistats count request_count avg(time_taken) max(time_taken) mode(time_taken) median(time_taken) by uri host _time
However, this resulted in a lot of noise because uri in its raw form contains unique query strings. I'm only interested in caclulating time_taken stats for generic uris (http://www.example.com/somecontroller/someaction vs http://www.example.com/somecontroller/someaction/?QueryString1=foo)
So I try stripping off the query string portion of uri :
sourcetype=wildfly _logs | rex field=uri "^(?.+?)\?"|bucket _time span=1m | sistats count as request_count avg(time_taken) max(time_taken) mode(time_taken) median(time_taken) by uri_base_url host _time
This doesn't work either b/c request_count is under-counted because of the way I'm stripping off query string.
I know I can achieve what I'm after by splitting this summary search in two queries but it **feels** like this is something that can be achieved in a single query. Any pointers are appreciated.
↧