topic Re: query in Splunk Search

How to summarize HTTP request logs?

sahana — Sun, 04 Feb 2024 12:58:04 GMT

I have a requirement where I need to fetch the success, failure count and average response time. In events field I have entry like httpsCode and timetaken. where timetaken returns values like 628, 484 etc.... the case is like httpscode is 200 it should be treated as success count and others should be treated as failure count.... finally the statistics table should show values of success,failure and average response time....

Re: query

ITWhisperer — Sun, 04 Feb 2024 09:53:30 GMT

| stats avg(timetaken) count(eval(httpsCode == 200)) as success count(eval(httpsCode != 200)) as failure

Re: query

sahana — Sun, 04 Feb 2024 11:33:42 GMT

i have around 25 events with httpsCode = 200 OK but when use the above function it returns 0 in the success column

Re: query

ITWhisperer — Sun, 04 Feb 2024 15:16:19 GMT

Has httpsCode been extracted OK? Please share some sample event, anonymised of course.

Re: query

yuanliu — Sun, 04 Feb 2024 20:38:19 GMT

As @ITWhisperer suggested, you should check and post accuracy of relevant data. I highly doubt if you have a field called httpsCode. It is more likely httpCode, if the field is provided by Splunk at all. If it not already extracted, you need to first extract it. If you need help with extraction, you will need to post raw data (anonymize as needed).

More than that, a good, answerable question should illustrate desired results and explain the logic between illustrated dataset and desired results. This relieves volunteers of the burden to read your mind. Statistically, mind reading is more wrong than correct.

This said, I interpret your intention as to discern the count and average timetaken - again, if this field is named such and already extracted in Splunk, by "success" or "failure" status. Maybe this will help.

| eval status = if(match(httpCode, "200|30[0-4,78]"), "success", "failure") | stats avg(timetaken) count by status

Note that 3xx return codes are generally success statuses. Unless you have specific reasons to classify them as "failure", they should be grouped into success.

Hope this helps.

Re: query

sahana — Wed, 07 Feb 2024 11:04:12 GMT

Thanks for the info shared able to fetch the results.....

I have another requirement like, I want to show an bar chart which should show the total login count in basis of the time period we submit

for example if we select 2 days it should show the bar chart where y is for login count and x is for time slection (in basis of day interval like 6thfeb 7th feb like this)