topic Re: How to get the status wise data in Splunk Search

How to get the status wise data

SG — Tue, 30 Nov 2021 06:50:22 GMT

Hi,

I wrote below query which gives me data per service per min...

index=**** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | stats count AS Requests by service, Hour

Below is the screenshot for same

the requests i wanted to split based on HTTP status code (200, 404, 302, 500 etc). I am using below query for same but i am unabe to get the data.

index=*** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | chart count AS Requests,status as HTTP_status by service, Hour

error screen shot -

Can someone please help me how to get the number of requests by status code?

Thanks,

Re: How to get the status wise data

PickleRick — Tue, 30 Nov 2021 07:03:11 GMT

First things first - you don't usually want to do bucketting and then stats by time because you have a specialized command for this - timechart

So your search may be rewritten simply as

index=***
| timechart span=1m count AS Requests status as HTTP_status by service

Re: How to get the status wise data

SG — Tue, 30 Nov 2021 07:07:23 GMT

HI @PickleRick ,

Thanks for your response.

Above method also giving error as below..

Thanks,

Re: How to get the status wise data

PickleRick — Tue, 30 Nov 2021 08:13:50 GMT

Ahhh, right. Forgot about that 🙂

Transforming commands need some form of aggregation function to be applied to fields. So you can't just give a simple field name. You can have count(status) or dc(status) or any other statistical function. In your case, I suppose values(status) will do.

Or if you want to further break down your results by status move the status from the aggregation to the "by" clause

| timechart span=1m count by status service

EDIT: As @ITWhisperer already mentioned, this solution is wrong because of two separate dimension used for classifying events for stats. So we can either use manual binning and statsing or we have another solution - we can create an artificial combined dimension:

| eval servicestatus=service."-".status
| timechart span=1m count by servicestatus

Re: How to get the status wise data

ITWhisperer — Tue, 30 Nov 2021 07:21:09 GMT

chart (or timechart as @PickleRick suggested) doesn't work with 4 dimensions (time, service, status and count). if you want just status then use

| chart count AS Requests by HTTP_status, Hour

Re: How to get the status wise data

SG — Tue, 30 Nov 2021 07:25:35 GMT

In this case i will not be able to bifurcate my stats service wise.

Re: How to get the status wise data

ITWhisperer — Tue, 30 Nov 2021 07:28:46 GMT

Not with chart - you can use stats however

| stats count by Hour service HTTP_status

Re: How to get the status wise data

PickleRick — Tue, 30 Nov 2021 08:11:19 GMT

@ITWhisperer Ahhh. You're right. I keep forgetting that and facepalm myself every so often 😄

Indeed, that's one of the cases where binning with time actually makes sense.