topic Re: Get last two http status for every subpage in Splunk Search https://community.splunk.com/t5/Splunk-Search/Get-last-two-http-status-for-every-subpage/m-p/463687#M130720 <P>sample:</P> <PRE><CODE>index=_internal sourcetype=splunkd_ui_access | reverse | streamstats global=f list(status) as last2Status window=2 by uri_path | reverse </CODE></PRE> <P>use <CODE>list()</CODE> with <CODE>global=f</CODE> option.</P> Sun, 31 May 2020 01:47:14 GMT to4kawa 2020-05-31T01:47:14Z Get last two http status for every subpage https://community.splunk.com/t5/Splunk-Search/Get-last-two-http-status-for-every-subpage/m-p/463686#M130719 <P>Hello,</P> <P>I need to query all last two http status for every page (extracted from URI)</P> <P>For example for this log:</P> <PRE><CODE>ip_address - - [23/May/2020:18:22:16] "GET /test HTTP 1.1" 200 1665 "http://www.testwebsite.com/test "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159 ip_address - - [23/May/2020:19:24:09] "GET /test HTTP 1.1" 404 2301 "http://www.testwebsite.com/test" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159 </CODE></PRE> <P>I'd like to query for page /test two last codes, in this case 404 and 200.</P> <P>I tried something with streamstats but I dont really know how to combine this into one single query:</P> <PRE><CODE>| streamstats values(status) by uri_path window=2 </CODE></PRE> Mon, 08 Jun 2020 18:12:35 GMT https://community.splunk.com/t5/Splunk-Search/Get-last-two-http-status-for-every-subpage/m-p/463686#M130719 ezoteriusz 2020-06-08T18:12:35Z Re: Get last two http status for every subpage https://community.splunk.com/t5/Splunk-Search/Get-last-two-http-status-for-every-subpage/m-p/463687#M130720 <P>sample:</P> <PRE><CODE>index=_internal sourcetype=splunkd_ui_access | reverse | streamstats global=f list(status) as last2Status window=2 by uri_path | reverse </CODE></PRE> <P>use <CODE>list()</CODE> with <CODE>global=f</CODE> option.</P> Sun, 31 May 2020 01:47:14 GMT https://community.splunk.com/t5/Splunk-Search/Get-last-two-http-status-for-every-subpage/m-p/463687#M130720 to4kawa 2020-05-31T01:47:14Z