Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting percentages from in iTSI in a base search

brent_weaver
Builder
‎04-10-2019 09:12 AM

I have events that have http error codes in them. I would like to be able to get a percentage of 500 errors for all the events. I have this as my base search:

index=firehose sourcetype="cf_logs_syslog" source_type=RTR 
| eval 5xx_code=if(responseCode>=500 AND responseCode<=599, 1, 0)
| eval 4xx_code=if(responseCode>=400 AND responseCode<=499, 1, 0)
| eval 2xx_code=if(responseCode>=200 AND responseCode<=399, 1, 0)

If i were in core splunk I could conjure up the SPL to do this, but I struggle with iTSI as a base search. I would ultimately like to have percentages of all 200-399, 400-499, and 500-599 error codes. I guess you could say that the fact that I cannot use the eval function is killing me 🙂

Any thoughts?

0 Karma
Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...