Splunk Search

Filter events in a time frame by a condition

RemyaT
Explorer

I have the query to find the response code and count vs time (in 1 minute time interval) as below.

 

index=sample_index path=*/sample_path* 
	| bucket _time span=1m 
	| stats count by _time responseCode

 

The result shows the response code and count vs time for each minute. But I just need the events in those 1 minutes which have 403 response code along with other response codes and skip which doesn't have 403. 

Suppose during time1, if there are only events with response code 200, I don't need that in my result. But during time2, if there are events with response code 200 and 403, I need that in the result as time, response code, count. 

Labels (2)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=sample_index path=*/sample_path* responseCode=200 OR responseCode=403
| timechart span=1m count by responseCode
| where '403' > 0

gcusello
SplunkTrust
SplunkTrust

Hi @RemyaT,

let me understand: do you want to count only events with response_code=403 or cout of all response_codes when there's at least one 403?

If the first, you can try:

index=sample_index path=*/sample_path* response_code=403
| timechart span=1m count

if the second

index=sample_index path=*/sample_path* 
| bucket _time span=1m 
| stats 
   count(eval(response_code="200")) AS 200_count 
   count(eval(response_code="403")) AS 403_count 
   BY _time
| where 403_count >0

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...