Splunk Search

How can I generate http status code vs all traffic on a line graph

zack
New Member

Hi everyone, I am comparatively new to Splunk and trying to create visualization of each http status code vs all traffic line graph that is traversing though the device. I am able to extract all status code due to a specific path and was able to each of the status code for a specified time as below:


index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | stats count by message.status

message.statuscount

030
2003129
30256321
40310439
40825

 

I am trying to create a graph for each status code vs all traffic as below:

 index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | stats count by message.status | eval x=if('message.status'=503,"ServerDenied","All-Traffic") | timechart span=20m count by x useother=f<

 

But the output is showing only all traffic on a line graph. Could someone please guide two things:

1- How can create a line graph on each status code vs all traffic

2- How can I create a line graph which include all above status code vs all traffic. 

 

Please let me know if any clarification is needed. 

 

thank you 

Labels (1)
Tags (1)
0 Karma

zack
New Member

My bad, i miss typed the actual command. It was supposed to be as below:

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | eval x=if('message.status'=503,"ServerDenied","All-Traffic") | timechart span=20m count by x useother=f

I tried a query you suggested above, and I am able to see all status code on a line graph, but can we also include all traffic vs status codes?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

I think your question is about visualization when you say "all traffic vs status codes", meaning that you want to add a visualization to represent total on the same graph in addition each line by x.

If you don't need the value of total, you can simply change visualization from line draw to area or block, then select "Stacked" in stack mode.  If you want the value of total, you can addcoltotals after timechart.

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta"
| eval x=if('message.status'=503,"ServerDenied","All-Traffic")
| timechart span=20m count by x useother=f
| addtotals

The line "Total" represents all traffic.

Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm not sure what you're trying to achieve but I suppose that you want to have counts of various status codes during specific time periods (like every 10 minutes).

You have to remember that when splunk processes your search, after a pipe it sees only the results from the immediately preceeding command. So if you aggregate your events with "stats count by status" you get just a number of total count for each status and that's it. Splunk no longer knows at this point what events this result is composed of and it can't "split" them to calculate stats differently.

So if you want to have your timechart split by status, you have to - surprise, surprise 😉 - do

index=something sourcetype=whatever and so on
| timechart count by message.status

You don't do any intermediate stats.

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...