Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I count the number of status codes and group them in a single category?

wjz
New Member
‎11-17-2017 07:58 AM

Hi,

I'd like to count the number of HTTP 2xx and 4xx status codes in responses, group them into a single category and then display on a chart. The count itself works fine, and I'm able to see the number of counted responses. I'm basically counting the number of responses for each API that is read from a CSV file.

However, I'm struggling with the problem that I'd like to count the number 2xx and 4xx statuses, sum them and group under a common label named: "non5xx" that refers to non-server status codes and display on a chart.

So far, I've come up with the following search query, but it fails to meet my expectations:

[| inputlookup api_names_file.csv | rename AppName to app_name | table app_name ] | chart count(eval(like(status, "2%"))) AS successResponses, count(eval(like(status, "4%"))) AS clientErrorResponses, count(eval(like(status, "5%"))) AS 5xx BY status | eval total = (successResponses + clientErrorResponses) | eventstats sum(total) AS non5xx by status | fields non5xx, 5x

Ideally, I'd like to end up with the following chart:
alt text

  • The non5xx group would refer to the summed number of all 2xx and 5xx status codes e.g. HTTP 200, 201 etc.
  • The 5xx group would describe server error status codes such as 500, 501 etc.

Is it possible to display such a common label consisting of the sum of two responses on an arbitrary chart e.g. a pie chart?

Thanks in advance

Preview file
20 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-17-2017 09:07 AM

Hi @wjz,

I think it is the same question.

https://answers.splunk.com/answers/591435/counting-the-number-of-responses-and-displaying-in.html

have you tried these searches suggested in above question??

Search for the count of status like 2xx,4xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%"),"2xx",like(status, "4%"),"4xx",like(status, "5%"),"5xx") | stats count by status

Search for the count of status like non5xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%") OR like(status, "4%"),"non5xx",like(status, "5%"),"5xx") | stats count by status

Just change the visualization to the pie chart.

Happy Splunking

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-17-2017 09:07 AM

Hi @wjz,

I think it is the same question.

https://answers.splunk.com/answers/591435/counting-the-number-of-responses-and-displaying-in.html

have you tried these searches suggested in above question??

Search for the count of status like 2xx,4xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%"),"2xx",like(status, "4%"),"4xx",like(status, "5%"),"5xx") | stats count by status

Search for the count of status like non5xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%") OR like(status, "4%"),"non5xx",like(status, "5%"),"5xx") | stats count by status

Just change the visualization to the pie chart.

Happy Splunking

0 Karma
Reply
Solved! Jump to solution

wjz
New Member
‎11-20-2017 06:34 AM

Hi,

Yes, I've accidentally posted two questions. Of course, it solved my problems and it works like a charm.
Thank you once again! 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...