Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get last two http status for every subpage

ezoteriusz
Engager
‎05-29-2020 01:30 AM

Hello,

I need to query all last two http status for every page (extracted from URI)

For example for this log:

ip_address - - [23/May/2020:18:22:16] "GET /test HTTP 1.1" 200 1665 "http://www.testwebsite.com/test "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159

ip_address - - [23/May/2020:19:24:09] "GET /test HTTP 1.1" 404 2301 "http://www.testwebsite.com/test" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159

I'd like to query for page /test two last codes, in this case 404 and 200.

I tried something with streamstats but I dont really know how to combine this into one single query:

|  streamstats values(status) by uri_path window=2
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-30-2020 06:47 PM

sample:

index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse

use list() with global=f option.

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-30-2020 06:47 PM

sample:

index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse

use list() with global=f option.

Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!