Solved: Get last two http status for every subpage

ezoteriusz · ‎05-29-2020

Hello,

I need to query all last two http status for every page (extracted from URI)

For example for this log:

ip_address - - [23/May/2020:18:22:16] "GET /test HTTP 1.1" 200 1665 "http://www.testwebsite.com/test "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159

ip_address - - [23/May/2020:19:24:09] "GET /test HTTP 1.1" 404 2301 "http://www.testwebsite.com/test" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159

I'd like to query for page /test two last codes, in this case 404 and 200.

I tried something with streamstats but I dont really know how to combine this into one single query:

|  streamstats values(status) by uri_path window=2

to4kawa · ‎05-30-2020

sample:

index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse

use list() with global=f option.

View solution in original post

to4kawa · ‎05-30-2020

sample:

index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse

use list() with global=f option.

Get last two http status for every subpage

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Get last two http status for every subpage

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2