Re: How can I generate http status code vs all tra...

zack · ‎12-19-2022

Hi everyone, I am comparatively new to Splunk and trying to create visualization of each http status code vs all traffic line graph that is traversing though the device. I am able to extract all status code due to a specific path and was able to each of the status code for a specified time as below:

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | stats count by message.status

message.statuscount

0	30
200	3129
302	56321
403	10439
408	25

I am trying to create a graph for each status code vs all traffic as below:

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | stats count by message.status | eval x=if('message.status'=503,"ServerDenied","All-Traffic") | timechart span=20m count by x useother=f<

But the output is showing only all traffic on a line graph. Could someone please guide two things:

1- How can create a line graph on each status code vs all traffic

2- How can I create a line graph which include all above status code vs all traffic.

Please let me know if any clarification is needed.

thank you

zack · ‎12-19-2022

My bad, i miss typed the actual command. It was supposed to be as below:

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | eval x=if('message.status'=503,"ServerDenied","All-Traffic") | timechart span=20m count by x useother=f

I tried a query you suggested above, and I am able to see all status code on a line graph, but can we also include all traffic vs status codes?

yuanliu · ‎12-19-2022

I think your question is about visualization when you say "all traffic vs status codes", meaning that you want to add a visualization to represent total on the same graph in addition each line by x.

If you don't need the value of total, you can simply change visualization from line draw to area or block, then select "Stacked" in stack mode. If you want the value of total, you can addcoltotals after timechart.

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta"
| eval x=if('message.status'=503,"ServerDenied","All-Traffic")
| timechart span=20m count by x useother=f
| addtotals

The line "Total" represents all traffic.

PickleRick · ‎12-19-2022

I'm not sure what you're trying to achieve but I suppose that you want to have counts of various status codes during specific time periods (like every 10 minutes).

You have to remember that when splunk processes your search, after a pipe it sees only the results from the immediately preceeding command. So if you aggregate your events with "stats count by status" you get just a number of total count for each status and that's it. Splunk no longer knows at this point what events this result is composed of and it can't "split" them to calculate stats differently.

So if you want to have your timechart split by status, you have to - surprise, surprise 😉 - do

index=something sourcetype=whatever and so on
| timechart count by message.status

You don't do any intermediate stats.

How can I generate http status code vs all traffic on a line graph

Dashboard Studio

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?