https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342481#M161304 <P>Wow, tat is pretty good! It doesn't seem to get the 500-599 ones though. </P> Thu, 20 Apr 2017 19:05:58 GMT dbcase 2017-04-20T19:05:58Z https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342479#M161302 <P>Hi,</P> <P>I have queries that I'd like to group HTTP Status codes together... (i.e. anything 200-299, or 300-399, or 400-499, or 500-599) . I have a dropdown that prompts the user to select</P> <PRE><CODE> &lt;input type="dropdown" token="http_code" searchWhenChanged="true"&gt; &lt;label&gt;Select Http Status Code Range:&lt;/label&gt; &lt;default&gt;200&lt;/default&gt; &lt;choice value="200"&gt;200 - 299&lt;/choice&gt; &lt;choice value="300"&gt;300 - 399&lt;/choice&gt; &lt;choice value="400"&gt;400 - 499&lt;/choice&gt; &lt;choice value="500"&gt;500 - 599&lt;/choice&gt; &lt;/input&gt; </CODE></PRE> <P>but I'm not sure how to get the query working. This is what I have it it kinda works but it still returns other codes even thought the value is zero</P> <PRE><CODE>index=itscom source=*access* |rex "HTTP\S+ (?&lt;status&gt;\d+)"|stats count(eval(searchmatch("status=2*"))) as "200-299" by status </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2815iD749E32A142485B2/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 20 Apr 2017 18:26:09 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342479#M161302 dbcase 2017-04-20T18:26:09Z https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342480#M161303 <P>Try this</P> <PRE><CODE>index=itscom source=*access* |rex "HTTP\S+ (?&lt;status&gt;\d+)" | bucket status span=100 | eval status=mvindex(split(status,"-"),0)."-".(tonumber(mvindex(split(status,"-"),1))-1) | stats count by status </CODE></PRE> Thu, 20 Apr 2017 18:56:52 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342480#M161303 somesoni2 2017-04-20T18:56:52Z https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342481#M161304 <P>Wow, tat is pretty good! It doesn't seem to get the 500-599 ones though. </P> Thu, 20 Apr 2017 19:05:58 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342481#M161304 dbcase 2017-04-20T19:05:58Z https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342482#M161305 <P>Lets try this than</P> <PRE><CODE>index=itscom source=*access* |rex "HTTP\S+ (?\d+)" | bucket status span=100 | eval status=mvindex(split(status,"-"),0)."-".(tonumber(mvindex(split(status,"-"),0))+99) | stats count by status </CODE></PRE> Thu, 20 Apr 2017 19:08:25 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342482#M161305 somesoni2 2017-04-20T19:08:25Z https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342483#M161306 <P>nevermind, my fat fingers can't type so well <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 20 Apr 2017 19:09:25 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-Range-HTTP-Status-codes/m-p/342483#M161306 dbcase 2017-04-20T19:09:25Z