https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337476#M100144 <P>you did the hardest part, once there are results filtering was easy.</P> Mon, 29 Jan 2018 09:41:58 GMT Arjang 2018-01-29T09:41:58Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337472#M100140 <P>I am using the following search:</P> <PRE><CODE>( sourcetype=iis ) sc_status=500 |stats count by uri_path sc_status date </CODE></PRE> <P>but that only gives me the failures, I want the successes for them as well i.e. <CODE>sc_status=200 or other sc_status</CODE></P> <P>If I try :</P> <PRE><CODE>( sourcetype=iis ) |stats count by uri_path sc_status date </CODE></PRE> <P>I get too many results that had never had 400, 500, i.e. the ur_path s that always were successful,<BR /> I just want the </P> <PRE><CODE>( sourcetype=iis ) |stats count by uri_path sc_status date </CODE></PRE> <P>results sets that contain at least one <CODE>sc_status &gt;400</CODE></P> <P>I tried using join, inner join (1)</P> <PRE><CODE> ( sourcetype=iis ) sc_status=500 |stats count by uri_path sc_status date </CODE></PRE> <P>with (2)</P> <PRE><CODE> ( sourcetype=iis ) |stats count by uri_path sc_status date </CODE></PRE> <P>I got this :</P> <PRE><CODE>( sourcetype=iis ) sc_status=500 |fields uri_path | join uri_path [search sourcetype=iis | fields uri_path,sc_status,date ] | stats count by uri_path , sc_status , date| sort -count </CODE></PRE> <P>but the result does not contain any <CODE>sc_status = 500</CODE></P> <P>The result should be (2) where each one of the uri_path was in (1).<BR /> That means <CODE>sc_status = 500</CODE> should also be included in the final result.<BR /> Maybe there is an alternative way of finding the totals of status codes per uri per day. I would be happy with just a result like so</P> <PRE><CODE>uri_path,sc_"statusLessThan400","sc_statusGreaterThanOrEqualTo400",date </CODE></PRE> Tue, 29 Sep 2020 17:51:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337472#M100140 Arjang 2020-09-29T17:51:51Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337473#M100141 <P>@Arjang, please try the following:</P> <PRE><CODE> sourcetype=iis ) sc_status=* | stats count(eval(sc_status=200)) as Success count(eval(sc_status!=200)) as Failures by uri_path sc_status date </CODE></PRE> Mon, 29 Jan 2018 08:33:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337473#M100141 niketn 2018-01-29T08:33:07Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337474#M100142 <P>Thank you!</P> <P>I ended up using :</P> <PRE><CODE>(sourcetype=iis ) sc_status=* CurrentWork | stats count(eval(sc_status=200)) as Success count(eval(sc_status!=200)) as Failures by uri_path date | search Failures &gt; 0 | fields uri_path, date, Success,Failures </CODE></PRE> Mon, 29 Jan 2018 08:52:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337474#M100142 Arjang 2018-01-29T08:52:09Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337475#M100143 <P>Great... I am sorry I think I missed the second part of your question. Glad you figured it out <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 29 Jan 2018 09:17:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337475#M100143 niketn 2018-01-29T09:17:55Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337476#M100144 <P>you did the hardest part, once there are results filtering was easy.</P> Mon, 29 Jan 2018 09:41:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-totals-of-status-codes-per-uri-per-day/m-p/337476#M100144 Arjang 2018-01-29T09:41:58Z