Solved: how to consolidate 200/500 error counts in access....

anasar · ‎01-13-2016

I have access.log data in index access_index. How can I draw a graph counting 200's and 500's. If I draw for last 1 hour, 2 line graph showing the counts.

index="access_index" response=200 OR response=500.

But after that, I'm lost.

jluo_splunk · ‎01-13-2016

Hi Anasar,

You can use the timechart command if you'd like to see the data plotted against time.

index="access_index" response=200 OR response=500 | timechart count by response

View solution in original post

yannK · ‎01-13-2016

try this in a visualization panel

index="access_index" response=200 OR response=500 | timechart count by response

If you want to actually count all the 2** and 5** status, not just the 200 and 500.
you can use an eval condition to extract a new field

index="access_index" response=2* OR response=5*  |  eval consolidated_response=case(response>=200 AND response<300,"200 range",response>=500 AND response<600,"500 range",1=1,"other" | search NOT consolidated_response="other" | timechart count by consolidated_response

jluo_splunk · ‎01-13-2016

Hi Anasar,

You can use the timechart command if you'd like to see the data plotted against time.

index="access_index" response=200 OR response=500 | timechart count by response

how to consolidate 200/500 error counts in access.log?

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)