Getting percentages from in iTSI in a base search

Splunk ITSI

I have events that have http error codes in them. I would like to be able to get a percentage of 500 errors for all the events. I have this as my base search:

index=firehose sourcetype="cf_logs_syslog" source_type=RTR 
| eval 5xx_code=if(responseCode>=500 AND responseCode<=599, 1, 0)
| eval 4xx_code=if(responseCode>=400 AND responseCode<=499, 1, 0)
| eval 2xx_code=if(responseCode>=200 AND responseCode<=399, 1, 0)

If i were in core splunk I could conjure up the SPL to do this, but I struggle with iTSI as a base search. I would ultimately like to have percentages of all 200-399, 400-499, and 500-599 error codes. I guess you could say that the fact that I cannot use the eval function is killing me 🙂

Any thoughts?

Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...