I've spent the last week trying to figure out the answer to this myself in the documentation and in the questions. I'm sure this is easy if
you've been using Splunk for any length of time, but I'm very new. Also, I've submitted a project request for the Splunk team to help me, but they won't even touch it until it goes through an approval process.
Here's my question: I have the following Splunk query that works:
index=MyWebServer ("WebService_01" AND "input") OR ("WS Total time")
| transaction TID host startswith="input" endswith="WS Total time"
| timechart span=1m count, avg(WSTotalTimeValue), max(WSTotalTimeValue), perc95(WSTotalTimeValue)
I need to add 2 more columns and add more web service names. Consider the following to be psuedocode:
index=MyWebServer (("WebService_01" OR "WebService_02" OR "WebService_03" OR "WebService_04") AND "input") OR ("WS Total time")
| transaction TID host startswith="input" endswith="WS Total time"
| timechart span=1m username, webservicename, count, avg(WSTotalTimeValue), max(WSTotalTimeValue), perc95(WSTotalTimeValue)
I've tried a variety of stats, bin, chart, etc. commands to try to get it to work, but the syntax is just to new to me to get it to work.
Any advice would be appreciated.
Thanks.
↧