topic How to extract HTTP status codes in report? in Splunk Search

How to extract HTTP status codes in report?

ruchijain — Mon, 17 Jun 2019 15:53:01 GMT

Hi,
I know how to extract the HTTP Status from Splunk. But I need it in the below format which I am not able to do:

If any status with 2% and 3% then it will show as "Success"
Apart from that, it will show all the status codes (example 400, 428, 430, 500, 520 or anything )

I am able to extract all the codes:

|eval status=case(like(status,"2%"),"2xx",like(status,"3%"),"3xx",like(status,"4%"),"4xx",like(status,"5%"),"5xx") | stats count by status | eventstats sum(count) as perc | eval perc=round(count*100/perc,2)

But in this, the table is like this:

status  count  perc
2xx  3154   96.63
3xx  44  1.35
4xx  66  2.02

If I remove the eval and like statement then it will show the result as below:

status count perc
200 2922  88.84
201 252   7.66
302 22  0.67
304 25  0.76
401 9    0.27
404 6    0.18
422 53  1.61

Whereas I want the result as below:

Status              count   perc
success(2X and 3X)  300     8.00
401                 9       0.27
404                 6       0.18
422                 53      1.61

Can anyone help me? Thank you.

Re: How to extract HTTP status codes in report?

somesoni2 — Mon, 17 Jun 2019 16:11:56 GMT

Try like this

your base search
|eval status=if(like(status,"2%") OR like(status,"3%"),"Success",status) 
| top 0 status

The top command does what you want to do with your stats-eventstats-eval combo.

Re: How to extract HTTP status codes in report?

Vijeta — Mon, 17 Jun 2019 17:20:30 GMT

@ruchijain Try below

<your base search>| eval status=if(like(status,"2%") OR like(status,"3%"),"Success",status) | stats count by status| eventstats sum(count) as perc | eval perc=round(count*100/perc,2)

Re: How to extract HTTP status codes in report?

jnudell_2 — Mon, 17 Jun 2019 17:35:18 GMT

If you want what you exactly wrote:

... [ you search ] ...
| eval status = if(match(status, "^[23]\d\d"), "success(2X and 3X)", status)
| top status