https://community.splunk.com/t5/Security/How-to-get-http-error-codes-count/m-p/314228#M12545 <P>if you want to shorten your search string and get anything which isn't 200 you can also just use<BR /> status!=200</P> Tue, 30 May 2017 20:55:11 GMT anthonymelita 2017-05-30T20:55:11Z https://community.splunk.com/t5/Security/How-to-get-http-error-codes-count/m-p/314226#M12543 <P>Hi,</P> <P>I have the following log:</P> <P>01.01.01.56 - - [20/May/2016:09:22:44 +0000] "GET /parking/js/node.js HTTP/1.1" 302 -</P> <P>01.01.01.56 - - [20/May/2016:06:44:44 +0000] "GET /outside/js/node.js HTTP/1.1" 404 -</P> <P>How do i run a search to extract all the different HTTP error codes other then 200 and graph the results for example</P> <P>http 302 = 130<BR /> http 404 = 90<BR /> In the end i want it to be displayed as a bar gragh</P> <P>I used:<BR /> sourcetype=tomcat 400 OR 401 OR 403 OR 404 OR 502 OR 503 </P> Tue, 30 May 2017 10:00:23 GMT https://community.splunk.com/t5/Security/How-to-get-http-error-codes-count/m-p/314226#M12543 cloud111 2017-05-30T10:00:23Z https://community.splunk.com/t5/Security/How-to-get-http-error-codes-count/m-p/314227#M12544 <P>Have you checked in verbose mode whether http <STRONG>status</STRONG> field is getting extracted for your <STRONG>tomcat</STRONG> sourcetype or not? If it is not then ideally you should created a Field Extraction for 304, 404 using Splunk's Interactive Field Extraction through Extract Fields option in the Search Menu. Refer to documentation <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX</A></P> <P>Otherwise temporarily you can create Field extraction directly in your SPL using the rex command if you are aware of Regular Expressions. You might have to try with different types of sample to make sure Regular Expression is universal.</P> <PRE><CODE>sourcetype=tomcat 400 OR 401 OR 403 OR 404 OR 502 OR 503 | rex field=_raw "(?ms)^(?:[^ \\n]*){8}(?P&lt;status&gt;\\d+)" | stats count by status </CODE></PRE> <P>PS: Above rex is based on Data Sample Provided. Once you have tested regular expression using rex, you should create a Field Extraction through the Regular Expression.</P> <P>Another not so clean option would be to use <STRONG>searchmatch</STRONG></P> <PRE><CODE>sourcetype=tomcat 400 OR 401 OR 403 OR 404 OR 502 OR 503 | eval status=case(searchmatch("400"),400,searchmatch("401"),401,searchmatch("403"),403,searchmatch("404"),404,searchmatch("502"),502,searchmatch("503"),503,true(),"Unknown") | stats count by status </CODE></PRE> <P>Do check out Splunk Add On for Tomcat on Splunkbase, so that Tomcat data is processed as per CIM.</P> Tue, 30 May 2017 14:37:16 GMT https://community.splunk.com/t5/Security/How-to-get-http-error-codes-count/m-p/314227#M12544 niketn 2017-05-30T14:37:16Z https://community.splunk.com/t5/Security/How-to-get-http-error-codes-count/m-p/314228#M12545 <P>if you want to shorten your search string and get anything which isn't 200 you can also just use<BR /> status!=200</P> Tue, 30 May 2017 20:55:11 GMT https://community.splunk.com/t5/Security/How-to-get-http-error-codes-count/m-p/314228#M12545 anthonymelita 2017-05-30T20:55:11Z https://community.splunk.com/t5/Security/How-to-get-http-error-codes-count/m-p/314229#M12546 <P>Maybe this? To stop you having to write out every status code except 200. </P> <P>anything other than 200 - <BR /> sourcetype=tomcat | insert regex to extract status here| where status!=200 | stats count by status</P> <P>or if you create status as a search time extraction-<BR /> sourcetype=tomcat status!=200 | stats count by status</P> <P>To have a more accurate "error" reading, use &gt;399 </P> Wed, 31 May 2017 13:38:12 GMT https://community.splunk.com/t5/Security/How-to-get-http-error-codes-count/m-p/314229#M12546 WalshyB 2017-05-31T13:38:12Z