Splunk Search

Counting the number of responses and displaying in a pie chart.

wjz
New Member

Hi,

I'd like to count the number of responses by the following status codes: 2xx, 4xx and 5xx.
I'm basically counting the number of 2xx, 4xx and 5xx statuses for each API that is read line by line from a CSV file.

The only problem that I'm struggling with is I can't figure out how to sum and group the number of counted 2xx and 4xx status codes under a common label named: non5xx that refers to non-server error status codes and then display it in a pie/column/bar chart.

So far, I've come up with the follwing query, but it fails to meet my expectations:

[| inputlookup api_names_file.csv | rename AppName to app_name | table app_name] | chart count(eval(like(status, "2%"))) AS successResponses, count(eval(like(status, "4%"))) as clientErrorResponses, count(eval(like(status, "5%"))) AS 5xx BY app_name | eval total = (successResponses + clientErrorResponses) | eventstats sum(total) AS non5xx by app_name | fields non5xx, 5xx

Eventually, I'd like to end up with the following chart:
alt text

  • The non5xx group would refer to the sum of counted 2xx and 4xx statuses grouped together.
  • The 5xx group picture the number of 5xx server error responses.

Is is possible to group the counted 2xx and 4xx status codes under a common label, just like on the aforementioned pie chart?
Of course, it may an arbitrary type of chart including the column, and bar ones as well.

Thank you in advance

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @wjz,

Can you please try these searches??

Search for the count of status like 2xx,4xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%"),"2xx",like(status, "4%"),"4xx",like(status, "5%"),"5xx") | stats count by status

Search for the count of status like non5xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%") OR like(status, "4%"),"non5xx",like(status, "5%"),"5xx") | stats count by status

Just change the visualization to the pie chart.

Happy Splunking

View solution in original post

gemrose
Explorer

Adding to this thread if we need to have a pie- section based on 4 values 2xx,4xx,5xx,"Others". Others are the codes not in 2xx,4xx,5xx

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @wjz,

Can you please try these searches??

Search for the count of status like 2xx,4xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%"),"2xx",like(status, "4%"),"4xx",like(status, "5%"),"5xx") | stats count by status

Search for the count of status like non5xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%") OR like(status, "4%"),"non5xx",like(status, "5%"),"5xx") | stats count by status

Just change the visualization to the pie chart.

Happy Splunking

somesoni2
SplunkTrust
SplunkTrust

Assuming this query gives you count of 2xx, 4xx and 5xx error for each app_names

[| inputlookup api_names_file.csv | rename AppName to app_name | table app_name] | chart count(eval(like(status, "2%"))) AS successResponses, count(eval(like(status, "4%"))) as clientErrorResponses, count(eval(like(status, "5%"))) AS 5xx BY app_name

Use this query to get the consolidated pie chart data you need.

[| inputlookup api_names_file.csv | rename AppName to app_name | table app_name] 
| eval type=if(like(status,"5%"),"5xx","non5xx") 
| stats count by type
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...