i have environments like "A" "B" "C" "D", each environments have different clients,Now I want to display response status for particular url of an environment in a table like below
clent="x"
Requested Url responnseStatus=200 responseStatus=400 responsestatus=500
********** 45 55 10
__________ 24 14 5
Client="y"
Requested Url responnseStatus=200 responseStatus=400 responsestatus=500
********** 15 5 10
__________ 42 24 15
Hi,
With fields named url and status, you can use the chart command to count over url by status:
| chart count over url by status
url | 200 | 404 |
/ | 123 | 0 |
/broken | 0 | 3 |
You can rename fields and modify field values to adjust table column names:
| rename url as "Requested Url"
| eval status="responseStatus=".status
| chart count over "Requested Url" by status
Requested Url | responseStatus=200 | responseStatus=404 |
/ | 123 | 0 |
/broken | 0 | 3 |
In either case, your base search should include your target events:
index=foo environment=A client=x
| rename url as "Requested Url"
| eval status="responseStatus=".status
| chart count over "Requested Url" by status
You can improve performance by adding indexed fields like source and sourcetype to your base search, using accelerated data models, etc., but those are topics best left to a new question.