Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the HTTP Status Code?

bryceweb22
Path Finder
‎06-11-2019 02:21 PM

I need help with extracting and graphing the HTTP status code which is always the end of every log formatted as;

`200 0 0 140 or 403 0 0 455`

wherein those two examples the 200 and the 403 represent just two types of many different status codes.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hmarkus
Explorer
‎06-12-2019 12:01 AM

something like 200 0 0 140 or 403 0 0 455 is the end of every line?

-> add in props.conf in your apache Sourcetype:
EXTRACT-http_statuscode = (?<statuscode>\d+)\s\d+\s\d+\s\d+$

-> If your data is already in Splunk, you can use this in your search to test it:
<your search> | rex field=_raw "(?<statuscode>\d+)\s\d+\s\d+\s\d+$"

-> explanation:
https://regex101.com/r/ct4C7D/1

-> After extracting the field (either in props.conf or in your search) you can use
<your search and extraction> | timechart count by statuscode
or
<your search and extraction> | stats count by statuscode

 -> or use Splunk built in extractions for default access logs
 <your search> | extract access-extractions | stats count by statuscode

View solution in original post

Reply
Solved! Jump to solution
Solution

hmarkus
Explorer
‎06-12-2019 12:01 AM

something like 200 0 0 140 or 403 0 0 455 is the end of every line?

-> add in props.conf in your apache Sourcetype:
EXTRACT-http_statuscode = (?<statuscode>\d+)\s\d+\s\d+\s\d+$

-> If your data is already in Splunk, you can use this in your search to test it:
<your search> | rex field=_raw "(?<statuscode>\d+)\s\d+\s\d+\s\d+$"

-> explanation:
https://regex101.com/r/ct4C7D/1

-> After extracting the field (either in props.conf or in your search) you can use
<your search and extraction> | timechart count by statuscode
or
<your search and extraction> | stats count by statuscode

 -> or use Splunk built in extractions for default access logs
 <your search> | extract access-extractions | stats count by statuscode
Reply
Solved! Jump to solution

bryceweb22
Path Finder
‎06-12-2019 07:10 AM

Thank you that fixed my problem. To answer your question yes something like those examples are at the very end of every log it is formatted in IIS logging.

0 Karma
Reply
Solved! Jump to solution

pruthvikrishnap
Contributor
‎06-11-2019 04:44 PM

if there is a prefix it would be very easy, you can do something like this in props.conf "prefix : (?<status_code>\d+)"
else you will have to white list all the expected status codes in props.conf and use them something like this https://answers.splunk.com/answers/319823/how-to-configure-propsconf-and-transformsconf-to-o.html

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top