- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ezoteriusz
Engager
05-29-2020
01:30 AM
Hello,
I need to query all last two http status for every page (extracted from URI)
For example for this log:
ip_address - - [23/May/2020:18:22:16] "GET /test HTTP 1.1" 200 1665 "http://www.testwebsite.com/test "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159
ip_address - - [23/May/2020:19:24:09] "GET /test HTTP 1.1" 404 2301 "http://www.testwebsite.com/test" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 159
I'd like to query for page /test two last codes, in this case 404 and 200.
I tried something with streamstats but I dont really know how to combine this into one single query:
| streamstats values(status) by uri_path window=2
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-30-2020
06:47 PM
sample:
index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse
use list() with global=f option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-30-2020
06:47 PM
sample:
index=_internal sourcetype=splunkd_ui_access
| reverse
| streamstats global=f list(status) as last2Status window=2 by uri_path
| reverse
use list() with global=f option.
