Group by responseCode

tamnor — Mon, 28 Sep 2020 13:26:59 GMT

Hi I have the following query that creates a report of the major transactions for a website with their count and average response time. I would like to seperate the count column into number requests that succeeded and requests that failed for each request type, i.e so divide this count column into requests with response code 200 and requests with response code of anything other than 200.

index=vero_anzn_prod approveRiskRequest OR finalizeQuote OR premiumGrid OR approveRiskAccept OR illustration OR archiveRisks OR premiumInstallments OR add OR recalculateRates OR cancelPolicy OR completeScenario OR search OR save OR getPDF NOT (uri=.js OR uri=.png OR uri=.css OR uri=.gif OR uri=.ico OR uri=.jpg)
| rex field=uri_path mode=sed "s/quote\/[0-9]+/quote\/QUOTENO/"
.
.
.
| rex field=uri_path mode=sed "s/referralHistory\/.*\//referralHistory\/REFHSEARCH\//"
| eval Request=uri_path.method
| stats count avg(responseTime) BY Request

I realize I could add responseCode to the BY part of the query but this doesn't give me exactly what I want.

Thanks.

Tam.

Re: Group by responseCode

gkanapathy — Wed, 06 Mar 2013 01:21:22 GMT

replace your stats command with:

... | eval type=if(responseCode=="200","good","bad") | stats count avg(responeTime) by Request,type

topic Re: Group by responseCode in Splunk Search

Group by responseCode

Re: Group by responseCode