Solved: basic http status query (404 error 200 success) - Splunk Community

All Apps and Add-ons

I would like to show http traffic from my f5 (load balancer) to web servers for statuses 200 and 404 (200 green, 404 red). As a basic example something like this:

index = iis
| stats sum(eval(status="404")) as error sum(eval(status="200")) as success by dest_ip
|eval from="f5" , to=dest_ip
|head 100
|table from to success error

I can't seem to get the flows working. I have changed names to match error, warn, good but have not had much success.

any pointers would be appreciated.

please feel free to expand on this query to add more value. My aim is to visualize traffic flows to show when there are issues etc

1 Solution

Solution

Hi @nathanluke86

Thanks for using my Viz. This query should work:

index = iis
| stats count(eval(status="404")) as error count(eval(status="200")) as good by dest_ip
|eval from="f5" , to=dest_ip
|head 100
|table from to good error

View solution in original post

Solution

Hi @nathanluke86

Thanks for using my Viz. This query should work:

index = iis
| stats count(eval(status="404")) as error count(eval(status="200")) as good by dest_ip
|eval from="f5" , to=dest_ip
|head 100
|table from to good error

Thanks, this worked perfectly

Hi,
I'd like to show near real time web traffic without refresh dashboard,
any pointers would be appreciated.

Is there also a way to display Success instead of good

at the end of your query, add this:

| eval label = "Success: " + good + " Error: " + error

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...