Solved: How to create a statistical report based on search...

mugilbala · ‎06-05-2018

Hi,

I have following log statements about access to the application.

[05/Jun/2018:07:25:03 +0000] "GET /healthcheck.jsp HTTP/1.1" 200 259 0 [a10hm/1.0] [-] inbound-8080-1 [-]
[05/Jun/2018:07:25:03 +0000] "GET /healthcheck.jsp HTTP/1.1" 200 259 0 [a10hm/1.0] [-] inbound-8080-232 [-]
[05/Jun/2018:07:25:06 +0000] "DELETE /appname/account/1.0/records/2222005725 HTTP/1.1" 500 235 392 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [0] inbound-8080-15 [-]
[05/Jun/2018:11:00:01 +0000] "PUT /appname/account/1.0/records/4754600006 HTTP/1.1" 500 249 553 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [198] inbound-8080-119 [-]
[05/Jun/2018:11:00:03 +0000] "POST /appname/account/1.0/records/9595600004 HTTP/1.1" 500 249 876 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [206] inbound-8080-130 [-]
[05/Jun/2018:11:00:06 +0000] "GET /appname/account/1.0/records/1222024002 HTTP/1.1" 500 249 243 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [206] inbound-8080-61 [-]
[05/Jun/2018:07:25:07 +0000] "GET /healthcheck.jsp HTTP/1.1" 200 259 0 [a10hm/1.0] [-] inbound-8080-249 [-]
[05/Jun/2018:11:50:57 +0000] "POST /appname/video/1.1/sites/182/transactions HTTP/1.1" 201 331 164 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [930] inbound-8080-238 [-]
[05/Jun/2018:11:51:02 +0000] "POST /appname/broadband/1.1/sites/182/transactions HTTP/1.1" 201 331 106 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [901] inbound-8080-185 [-]

Where each statement logs the incoming request type and the url, status code, size of the request and Time taken to respond.

For example, in this statement - [05/Jun/2018:07:25:06 +0000] "DELETE /appname/account/1.0/records/2222005725 HTTP/1.1" 500 235 392 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [0] inbound-8080-15 [-]

request type and url - DELETE /appname/account/1.0/records/2222005725
status code - 500
Size - 235
Time - 392

I would need to produce a report by request type, url and status code. How many requests were passed, failed and so on in an hour.

Please help me with creating the splunk query for this.

Thank you

richgalloway · ‎06-05-2018

Assuming none of the fields are extracted, this should get you started.

index=foo | rex "\"(?<requestType>\w+)\s(?<url>[^\s]+)\s.*\"\s(?<status>\d+)\s(?<size>\d+)\s(?<time>\d+)" | stats count(eval(status==200)) as passed count(eval(status!=200)) as failed by requestType url status

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-05-2018

Assuming none of the fields are extracted, this should get you started.

index=foo | rex "\"(?<requestType>\w+)\s(?<url>[^\s]+)\s.*\"\s(?<status>\d+)\s(?<size>\d+)\s(?<time>\d+)" | stats count(eval(status==200)) as passed count(eval(status!=200)) as failed by requestType url status

---
If this reply helps you, Karma would be appreciated.

adonio · ‎06-05-2018

@mugilbala i think there's a prebuilt TA for this data source ...

mugilbala · ‎06-05-2018

Thank you. It worked. Appreciate your help.

How to create a statistical report based on search results?

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!