Reporting

How to create a statistical report based on search results?

Engager

Hi,

I have following log statements about access to the application.

[05/Jun/2018:07:25:03 +0000] "GET /healthcheck.jsp HTTP/1.1" 200 259 0 [a10hm/1.0] [-] inbound-8080-1 [-]
[05/Jun/2018:07:25:03 +0000] "GET /healthcheck.jsp HTTP/1.1" 200 259 0 [a10hm/1.0] [-] inbound-8080-232 [-]
[05/Jun/2018:07:25:06 +0000] "DELETE /appname/account/1.0/records/2222005725 HTTP/1.1" 500 235 392 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [0] inbound-8080-15 [-]
[05/Jun/2018:11:00:01 +0000] "PUT /appname/account/1.0/records/4754600006 HTTP/1.1" 500 249 553 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [198] inbound-8080-119 [-]
[05/Jun/2018:11:00:03 +0000] "POST /appname/account/1.0/records/9595600004 HTTP/1.1" 500 249 876 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [206] inbound-8080-130 [-]
[05/Jun/2018:11:00:06 +0000] "GET /appname/account/1.0/records/1222024002 HTTP/1.1" 500 249 243 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [206] inbound-8080-61 [-]
[05/Jun/2018:07:25:07 +0000] "GET /healthcheck.jsp HTTP/1.1" 200 259 0 [a10hm/1.0] [-] inbound-8080-249 [-]
[05/Jun/2018:11:50:57 +0000] "POST /appname/video/1.1/sites/182/transactions HTTP/1.1" 201 331 164 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [930] inbound-8080-238 [-]
[05/Jun/2018:11:51:02 +0000] "POST /appname/broadband/1.1/sites/182/transactions HTTP/1.1" 201 331 106 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [901] inbound-8080-185 [-]

Where each statement logs the incoming request type and the url, status code, size of the request and Time taken to respond.

For example, in this statement - [05/Jun/2018:07:25:06 +0000] "DELETE /appname/account/1.0/records/2222005725 HTTP/1.1" 500 235 392 [Apache-HttpClient/4.3.6.redhat-1 (java 1.5)] [0] inbound-8080-15 [-]

request type and url - DELETE /appname/account/1.0/records/2222005725
status code - 500
Size - 235
Time - 392

I would need to produce a report by request type, url and status code. How many requests were passed, failed and so on in an hour.

Please help me with creating the splunk query for this.

Thank you

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Assuming none of the fields are extracted, this should get you started.

index=foo | rex "\"(?<requestType>\w+)\s(?<url>[^\s]+)\s.*\"\s(?<status>\d+)\s(?<size>\d+)\s(?<time>\d+)" | stats count(eval(status==200)) as passed count(eval(status!=200)) as failed by requestType url status 
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

Assuming none of the fields are extracted, this should get you started.

index=foo | rex "\"(?<requestType>\w+)\s(?<url>[^\s]+)\s.*\"\s(?<status>\d+)\s(?<size>\d+)\s(?<time>\d+)" | stats count(eval(status==200)) as passed count(eval(status!=200)) as failed by requestType url status 
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

@mugilbala i think there's a prebuilt TA for this data source ...

0 Karma

Engager

Thank you. It worked. Appreciate your help.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!