Solved: How to edit my search to get the percentage of hos...

JoshuaJohn · ‎09-07-2016

I have http response codes, and I have hosts.

I want my data to show both of them and how they correlate with each other, I am trying to picture what this would look like, but am having trouble.

Basically this is my search:

index=nitro_ecomm_rest http_Response_code="*" |table host http_Response_code

This shows me every host and every response code.

I would like something more along the lines of every response code with the percentage of a host that is in it so if host: alpha50 has 10 200 http responses and 90 400s under 200, it would show alpha50 10% 10 and under the 400 category 90% 90

This is something I will also be working on for a bit.

somesoni2 · ‎09-07-2016

Give this a try

index=nitro_ecomm_rest http_Response_code="*" | stats count by host http_Response_code | eventstats sum(count) as Total by host | eval Percent=round(count*100/Total,2) | eval ValueToShow=Percent." % - ".count | chart values(ValueToShow) over host by http_Response_code

View solution in original post

somesoni2 · ‎09-07-2016

Give this a try

index=nitro_ecomm_rest http_Response_code="*" | stats count by host http_Response_code | eventstats sum(count) as Total by host | eval Percent=round(count*100/Total,2) | eval ValueToShow=Percent." % - ".count | chart values(ValueToShow) over host by http_Response_code

sundareshr · ‎09-07-2016

Try this

index=nitro_ecomm_rest http_Response_code="*" | chart count over host by http_Response_code

How to edit my search to get the percentage of hosts by HTTP response code?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms