Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I generate http status code vs all traffic on a line graph

zack
New Member
‎12-19-2022 12:47 PM

Hi everyone, I am comparatively new to Splunk and trying to create visualization of each http status code vs all traffic line graph that is traversing though the device. I am able to extract all status code due to a specific path and was able to each of the status code for a specified time as below:


index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | stats count by message.status

message.statuscount

030
2003129
30256321
40310439
40825

 

I am trying to create a graph for each status code vs all traffic as below:

 index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | stats count by message.status | eval x=if('message.status'=503,"ServerDenied","All-Traffic") | timechart span=20m count by x useother=f<

 

But the output is showing only all traffic on a line graph. Could someone please guide two things:

1- How can create a line graph on each status code vs all traffic

2- How can I create a line graph which include all above status code vs all traffic. 

 

Please let me know if any clarification is needed. 

 

thank you 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

zack
New Member
‎12-19-2022 01:28 PM

My bad, i miss typed the actual command. It was supposed to be as below:

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | eval x=if('message.status'=503,"ServerDenied","All-Traffic") | timechart span=20m count by x useother=f

I tried a query you suggested above, and I am able to see all status code on a line graph, but can we also include all traffic vs status codes?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-19-2022 09:00 PM

I think your question is about visualization when you say "all traffic vs status codes", meaning that you want to add a visualization to represent total on the same graph in addition each line by x.

If you don't need the value of total, you can simply change visualization from line draw to area or block, then select "Stacked" in stack mode.  If you want the value of total, you can addcoltotals after timechart.

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta"
| eval x=if('message.status'=503,"ServerDenied","All-Traffic")
| timechart span=20m count by x useother=f
| addtotals

The line "Total" represents all traffic.

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-19-2022 01:11 PM

I'm not sure what you're trying to achieve but I suppose that you want to have counts of various status codes during specific time periods (like every 10 minutes).

You have to remember that when splunk processes your search, after a pipe it sees only the results from the immediately preceeding command. So if you aggregate your events with "stats count by status" you get just a number of total count for each status and that's it. Splunk no longer knows at this point what events this result is composed of and it can't "split" them to calculate stats differently.

So if you want to have your timechart split by status, you have to - surprise, surprise 😉 - do

index=something sourcetype=whatever and so on
| timechart count by message.status

You don't do any intermediate stats.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top