Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I generate http status code vs all traffic on a line graph

zack
New Member
‎12-19-2022 12:47 PM

Hi everyone, I am comparatively new to Splunk and trying to create visualization of each http status code vs all traffic line graph that is traversing though the device. I am able to extract all status code due to a specific path and was able to each of the status code for a specified time as below:


index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | stats count by message.status

message.statuscount

030
2003129
30256321
40310439
40825

 

I am trying to create a graph for each status code vs all traffic as below:

 index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | stats count by message.status | eval x=if('message.status'=503,"ServerDenied","All-Traffic") | timechart span=20m count by x useother=f<

 

But the output is showing only all traffic on a line graph. Could someone please guide two things:

1- How can create a line graph on each status code vs all traffic

2- How can I create a line graph which include all above status code vs all traffic. 

 

Please let me know if any clarification is needed. 

 

thank you 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

zack
New Member
‎12-19-2022 01:28 PM

My bad, i miss typed the actual command. It was supposed to be as below:

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta" | eval x=if('message.status'=503,"ServerDenied","All-Traffic") | timechart span=20m count by x useother=f

I tried a query you suggested above, and I am able to see all status code on a line graph, but can we also include all traffic vs status codes?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-19-2022 09:00 PM

I think your question is about visualization when you say "all traffic vs status codes", meaning that you want to add a visualization to represent total on the same graph in addition each line by x.

If you don't need the value of total, you can simply change visualization from line draw to area or block, then select "Stacked" in stack mode.  If you want the value of total, you can addcoltotals after timechart.

index=infra_device_sec sourcetype=device:cloudmonitor:json "message.reqPath"="/test/alpha/beta/delta"
| eval x=if('message.status'=503,"ServerDenied","All-Traffic")
| timechart span=20m count by x useother=f
| addtotals

The line "Total" represents all traffic.

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-19-2022 01:11 PM

I'm not sure what you're trying to achieve but I suppose that you want to have counts of various status codes during specific time periods (like every 10 minutes).

You have to remember that when splunk processes your search, after a pipe it sees only the results from the immediately preceeding command. So if you aggregate your events with "stats count by status" you get just a number of total count for each status and that's it. Splunk no longer knows at this point what events this result is composed of and it can't "split" them to calculate stats differently.

So if you want to have your timechart split by status, you have to - surprise, surprise 😉 - do

index=something sourcetype=whatever and so on
| timechart count by message.status

You don't do any intermediate stats.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...