How to return status codes from interesting field ...

sdickerson · ‎03-15-2019

i am running a basic search:

index=apigee host="mock" "apiproxy.name"=GetQuoteServices_v1_Manual ("error.status.code"=400 OR "error.status.code"=401 OR "error.status.code"=403 OR "error.status.code"=404 OR "error.status.code"=429 OR "error.status.code"=500 OR "error.status.code"=502 OR "error.status.code"=503 OR "error.status.code"=504 OR statuscode!=200)

I would like to push the output of this search to a bar graph so it is easy to view from a dashboard. The bar graph should have a bar for each status code. Below is what I am using but all I get is 2 bars in it with one bar being the "400" status code and the other just being blank :

| top limit=0 statuscode | fields statuscode count

mayurr98 · ‎03-15-2019

Hello
I am sure that the problem is with your main search. fields error.status.code and statuscode is in one event?
if yes, then both field contains the same values? if yes then use

 index=apigee host="mock" "apiproxy.name"=GetQuoteServices_v1_Manual ("error.status.code"=400 OR "error.status.code"=401 OR "error.status.code"=403 OR "error.status.code"=404 OR "error.status.code"=429 OR "error.status.code"=500 OR "error.status.code"=502 OR "error.status.code"=503 OR "error.status.code"=504)

otherwise

index=apigee host="mock" "apiproxy.name"=GetQuoteServices_v1_Manual ("error.status.code"=400 OR "error.status.code"=401 OR "error.status.code"=403 OR "error.status.code"=404 OR "error.status.code"=429 OR "error.status.code"=500 OR "error.status.code"=502 OR "error.status.code"=503 OR "error.status.code"=504)  statuscode!=200

If both the fields are not in one event and as your query is based on statuscode only then error.status.code field is irrelevant over here.
To troubleshoot your query you should look into raw data only. so look at the values of both the fields and us e boolean operators (OR,NOT,AND) accordingly.

Also on the reporting side use

| top limit=0 statuscode showperc=f to avoid using unnecessary command fields

sdickerson · ‎03-19-2019

So I was able to get the search working with the coalesce option:

index=apigee host=mock | eval xStatuscode=coalesce(tonumber('response.status.code'),tonumber('error.status.code'),tonumber('statuscode')) | top limit=0 xStatuscode showperc=f

This will show all status codes and chart them out in a nice visualization. Thanks again for your assistance.

sdickerson · ‎03-18-2019

Thanks for the advice! With what you provided and Splunk Documentation I was able to get the following search to work:

index=apigee host="mock" "apiproxy.name"=GetQuoteServices_v1_Manual error.status.code IN (400, 401, 402, 403, 404) | top limit=0 error.status.code showperc=f

The issue is when trying to combine it with the almost the exact same search to get the 200 responses does not seem to work. The 200 responses are under a different interesting field so this is where it gets hairy. I attempted the following with no luck:

multisearch [search index=apigee host="mock" "apiproxy.name"=GetQuoteServices_v1_Manual error.status.code IN (400, 401, 403, 404, 500, 502, 503, 504)] | eval type="error_search" [search index=apigee host="mock" "apiproxy.name"=GetQuoteServices_v1_Manual response.status.code IN (200, 201, 202, 203)] | eval type="success_search"

I am assuming there is some sort of operator to use so the search is aware to run both searches but as of this point I have not had much luck. Any thoughts?

How to return status codes from interesting field to a bar chart?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...