Solved: Get last two http status for every subpage

ezoteriusz · ‎05-29-2020

Hello,

I need to query all last two http status for every page (extracted from URI)

For example for this log:

ip_address - - [23/May/2020:18:22:16] "GET /test HTTP 1.1" 200 1665 "http://www.testwebsite.com/test "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159

ip_address - - [23/May/2020:19:24:09] "GET /test HTTP 1.1" 404 2301 "http://www.testwebsite.com/test" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159

I'd like to query for page /test two last codes, in this case 404 and 200.

I tried something with streamstats but I dont really know how to combine this into one single query:

|  streamstats values(status) by uri_path window=2

to4kawa · ‎05-30-2020

sample:

index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse

use list() with global=f option.

View solution in original post

to4kawa · ‎05-30-2020

sample:

index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse

use list() with global=f option.

Get last two http status for every subpage

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Are you a member of the Splunk Community?

Get last two http status for every subpage

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies