Security

How to get http error codes count

cloud111
New Member

Hi,

I have the following log:

01.01.01.56 - - [20/May/2016:09:22:44 +0000] "GET /parking/js/node.js HTTP/1.1" 302 -

01.01.01.56 - - [20/May/2016:06:44:44 +0000] "GET /outside/js/node.js HTTP/1.1" 404 -

How do i run a search to extract all the different HTTP error codes other then 200 and graph the results for example

http 302 = 130
http 404 = 90
In the end i want it to be displayed as a bar gragh

I used:
sourcetype=tomcat 400 OR 401 OR 403 OR 404 OR 502 OR 503

Tags (1)
0 Karma
1 Solution

WalshyB
Path Finder

Maybe this? To stop you having to write out every status code except 200.

anything other than 200 -
sourcetype=tomcat | insert regex to extract status here| where status!=200 | stats count by status

or if you create status as a search time extraction-
sourcetype=tomcat status!=200 | stats count by status

To have a more accurate "error" reading, use >399

View solution in original post

0 Karma

WalshyB
Path Finder

Maybe this? To stop you having to write out every status code except 200.

anything other than 200 -
sourcetype=tomcat | insert regex to extract status here| where status!=200 | stats count by status

or if you create status as a search time extraction-
sourcetype=tomcat status!=200 | stats count by status

To have a more accurate "error" reading, use >399

0 Karma

niketn
Legend

Have you checked in verbose mode whether http status field is getting extracted for your tomcat sourcetype or not? If it is not then ideally you should created a Field Extraction for 304, 404 using Splunk's Interactive Field Extraction through Extract Fields option in the Search Menu. Refer to documentation http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX

Otherwise temporarily you can create Field extraction directly in your SPL using the rex command if you are aware of Regular Expressions. You might have to try with different types of sample to make sure Regular Expression is universal.

sourcetype=tomcat 400 OR 401 OR 403 OR 404 OR 502 OR 503
| rex field=_raw "(?ms)^(?:[^ \\n]*){8}(?P<status>\\d+)"
| stats count by status

PS: Above rex is based on Data Sample Provided. Once you have tested regular expression using rex, you should create a Field Extraction through the Regular Expression.

Another not so clean option would be to use searchmatch

sourcetype=tomcat 400 OR 401 OR 403 OR 404 OR 502 OR 503
| eval status=case(searchmatch("400"),400,searchmatch("401"),401,searchmatch("403"),403,searchmatch("404"),404,searchmatch("502"),502,searchmatch("503"),503,true(),"Unknown")
| stats count by status

Do check out Splunk Add On for Tomcat on Splunkbase, so that Tomcat data is processed as per CIM.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

anthonymelita
Contributor

if you want to shorten your search string and get anything which isn't 200 you can also just use
status!=200

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...