Hello Splunk Masters,
The search query I have built out works great, but due to the amount of requests hitting us, Splunk can get backed up and post a bunch of logs all at once which causes a manufactured spike in my chart.
I would love to work around this by building a timetable off of a custom time field (BeginRequest-UTC) and converting it to PST. This way we're able to see when the requests are hitting our IIS services and accurately monitor when spikes are generated. I also need to be able to break it down by UserAgent as well to determine which user agents are sending successful responses and unsuccessful responses.
The below query is what I'm using to look at successful IIS responses broken down by UserAgent.
sourcetype=iis_logs http_status!=40* http_status!=5* | timechart count by UserAgent
Any help is appreciated!
Thanks,
Evan
↧