Reporting

How to create a statistical report based on search results?

mugilbala
Engager

Hi,

I have following log statements about access to the application.

[05/Jun/2018:07:25:03 +0000] "GET /healthcheck.jsp HTTP/1.1" 200 259 0 [a10hm/1.0] [-] inbound-8080-1 [-]
[05/Jun/2018:07:25:03 +0000] "GET /healthcheck.jsp HTTP/1.1" 200 259 0 [a10hm/1.0] [-] inbound-8080-232 [-]
[05/Jun/2018:07:25:06 +0000] "DELETE /appname/account/1.0/records/2222005725 HTTP/1.1" 500 235 392 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [0] inbound-8080-15 [-]
[05/Jun/2018:11:00:01 +0000] "PUT /appname/account/1.0/records/4754600006 HTTP/1.1" 500 249 553 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [198] inbound-8080-119 [-]
[05/Jun/2018:11:00:03 +0000] "POST /appname/account/1.0/records/9595600004 HTTP/1.1" 500 249 876 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [206] inbound-8080-130 [-]
[05/Jun/2018:11:00:06 +0000] "GET /appname/account/1.0/records/1222024002 HTTP/1.1" 500 249 243 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [206] inbound-8080-61 [-]
[05/Jun/2018:07:25:07 +0000] "GET /healthcheck.jsp HTTP/1.1" 200 259 0 [a10hm/1.0] [-] inbound-8080-249 [-]
[05/Jun/2018:11:50:57 +0000] "POST /appname/video/1.1/sites/182/transactions HTTP/1.1" 201 331 164 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [930] inbound-8080-238 [-]
[05/Jun/2018:11:51:02 +0000] "POST /appname/broadband/1.1/sites/182/transactions HTTP/1.1" 201 331 106 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [901] inbound-8080-185 [-]

Where each statement logs the incoming request type and the url, status code, size of the request and Time taken to respond.

For example, in this statement - [05/Jun/2018:07:25:06 +0000] "DELETE /appname/account/1.0/records/2222005725 HTTP/1.1" 500 235 392 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [0] inbound-8080-15 [-]

request type and url - DELETE /appname/account/1.0/records/2222005725
status code - 500
Size - 235
Time - 392

I would need to produce a report by request type, url and status code. How many requests were passed, failed and so on in an hour.

Please help me with creating the splunk query for this.

Thank you

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Assuming none of the fields are extracted, this should get you started.

index=foo | rex "\"(?<requestType>\w+)\s(?<url>[^\s]+)\s.*\"\s(?<status>\d+)\s(?<size>\d+)\s(?<time>\d+)" | stats count(eval(status==200)) as passed count(eval(status!=200)) as failed by requestType url status 
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Assuming none of the fields are extracted, this should get you started.

index=foo | rex "\"(?<requestType>\w+)\s(?<url>[^\s]+)\s.*\"\s(?<status>\d+)\s(?<size>\d+)\s(?<time>\d+)" | stats count(eval(status==200)) as passed count(eval(status!=200)) as failed by requestType url status 
---
If this reply helps you, Karma would be appreciated.

adonio
Ultra Champion

@mugilbala i think there's a prebuilt TA for this data source ...

0 Karma

mugilbala
Engager

Thank you. It worked. Appreciate your help.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...