Solved: Get last two http status for every subpage

ezoteriusz · ‎05-29-2020

Hello,

I need to query all last two http status for every page (extracted from URI)

For example for this log:

ip_address - - [23/May/2020:18:22:16] "GET /test HTTP 1.1" 200 1665 "http://www.testwebsite.com/test "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159

ip_address - - [23/May/2020:19:24:09] "GET /test HTTP 1.1" 404 2301 "http://www.testwebsite.com/test" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159

I'd like to query for page /test two last codes, in this case 404 and 200.

I tried something with streamstats but I dont really know how to combine this into one single query:

|  streamstats values(status) by uri_path window=2

to4kawa · ‎05-30-2020

sample:

index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse

use list() with global=f option.

View solution in original post

to4kawa · ‎05-30-2020

sample:

index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse

use list() with global=f option.

Get last two http status for every subpage

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

Get last two http status for every subpage

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle