Splunk Search

How to find HTTP error code count with percentage for individual application based on time

rajgowd1
Communicator

Hi,
i am trying to find each application individual http error codes total count with percentage

here is the query which i was using to display some fields but it is with 200,how can we get other http codes with total count and percentage on time basis

index=myindex cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="ana-ccn-cap-sit" |eval StatusCode=if(ResponseCode=200,"Success","Failure")
|timechart span=1h count by StatusCode | addtotals|
eval Percent_Failure=round(Failure/ Total * 100, 1)| timechart span=1d sum(Total) as Total sum(Failure) as Failure sum(Success) as Success |
rename _time as Time |table Total Success Failure SuccessePercentage FailurePercentage
|eval FailurePercentage=round(Failure/ Total * 100, 1) |eval SuccessePercentage=round(Success/ Total * 100, 1)
|eval FailurePercentage=FailurePercentage+"%" |fieldformat Total=tostring(Total,"commas")| fieldformat Failure=tostring(Failure, "Commas") |eval SuccessePercentage=SuccessePercentage+"%"
| eval Time=strftime(Time,"%c")

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Maybe this (it is very unclear what you mean "by application"):

index=myindex cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="ana-ccn-cap-sit"
| stats count AS Total count(eval(ResponseCode="200")) AS Success BY application
| eval Failure = Total - Success
| eval Percent_Failure=round((Failure/ Total) 100, 1)
| eval Percent_Success=100 - PercentFailure
| rename _time as Time
| table Total Success Failure SuccessePercentage FailurePercentage
| eval FailurePercentage=FailurePercentage+"%"
| fieldformat Total=tostring(Total,"commas")
| fieldformat Failure=tostring(Failure, "Commas")
|eval SuccessePercentage=SuccessePercentage+"%" 
| eval Time=strftime(Time,"%c")

View solution in original post

0 Karma

woodcock
Esteemed Legend

Maybe this (it is very unclear what you mean "by application"):

index=myindex cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="ana-ccn-cap-sit"
| stats count AS Total count(eval(ResponseCode="200")) AS Success BY application
| eval Failure = Total - Success
| eval Percent_Failure=round((Failure/ Total) 100, 1)
| eval Percent_Success=100 - PercentFailure
| rename _time as Time
| table Total Success Failure SuccessePercentage FailurePercentage
| eval FailurePercentage=FailurePercentage+"%"
| fieldformat Total=tostring(Total,"commas")
| fieldformat Failure=tostring(Failure, "Commas")
|eval SuccessePercentage=SuccessePercentage+"%" 
| eval Time=strftime(Time,"%c")
0 Karma

rajgowd1
Communicator

Thanks woodcock.
application means,we have applications like:

ana-ccn-cap-sit
ana-ccn-cap-sit1
ana-ccn-cap-sit2
ana-ccn-cap-sit3

i created a dropdown and i can pass application name in search query and get success,failure and respective percentages for each application.
with your help,i modified little bit and got the expected results

here is the total search

index=myindex  cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="*" | stats count AS Total count(eval(ResponseCode="200")) AS Success BY cf_app_name
| eval Failure = Total - Success | eval Percent_Failure=round((Failure*100/ Total), 1) | eval Percent_Success=round((100 - Percent_Failure),1) | rename _time as Time
| table Time cf_app_name Total Success Failure Percent_Failure Percent_Success
| eval Percent_Failure=Percent_Failure. "%"
| fieldformat Total=tostring(Total,"commas")
| fieldformat Failure=tostring(Failure, "Commas")
|eval Percent_Success=Percent_Success. "%" 
| eval Time=strftime(Time,"%c")

but i am not able to display time with above search

0 Karma

woodcock
Esteemed Legend

It what manner would you like time to be displayed? A single value per line with the earliest value? A table broken out by month?

0 Karma

rajgowd1
Communicator

It would be good if it is single value per line with the earliest

0 Karma

woodcock
Esteemed Legend

Like this:

index=myindex  cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="*"
| stats count AS Total first(_time) AS Time count(eval(ResponseCode="200")) AS Success BY cf_app_name
| eval Failure = Total - Success
| eval Percent_Failure=round((Failure*100/ Total), 1)
| eval Percent_Success=round((100 - Percent_Failure),1)
| table Time cf_app_name Total Success Failure Percent_Failure Percent_Success
| eval Percent_Failure=Percent_Failure. "%"
| fieldformat Total=tostring(Total,"commas")
| fieldformat Failure=tostring(Failure, "Commas")
|eval Percent_Success=Percent_Success. "%" 
| eval Time=strftime(Time,"%c")
0 Karma

rajgowd1
Communicator

thank you for your prompt response.now results looks good

0 Karma

woodcock
Esteemed Legend

BTW, there was a mistake; when I wrote first, I should have written earliest. Please change that and it will be correct.

0 Karma

rajgowd1
Communicator

sure,we ran load test for 1 hour and can we show the success and failure rate between starting to ending time.

0 Karma

Raschko
Communicator

Can you post some sanitized example log events? Atm it's hard to help at all I guess.

Furthermore what do you expect as result? Please give an example.

0 Karma

rajgowd1
Communicator

i am expecting http error codes total count with percentage by application name on time basis

here is the sample log

<6>2017-01-27T20:59:59Z v204vtn756h doppler[19]: {"cf_app_id":"6b3e0a17-c90e-4921-8bb5-d01dbc4fc768","cf_app_name":"ana-ccn-cap-sit","cf_ignored_app":false,"cf_org_id":"fd12558e-ddaf-4dd2-91b3-85f28ccd27f3","cf_org_name":"ANA-CCN-CAP","cf_origin":"firehose","cf_space_id":"f9e2c3b9-ff7a-46b2-b359-9ec4ec13487b","cf_space_name":"lab","deployment":"cf","event_type":"LogMessage","ip":"168.72.186.200","job":"diego_cell-partition-ee9c6bad3843f162447f","job_index":"8","level":"info","message_type":"OUT","msg":" INFO [o-8080-exec-322] c.c.c.l.c.f.CCPLoggingContextFilter c.c.c.l.c.f.CCPLoggingContextFilter.postProcess(CCPLoggingContextFilter.java:187) - POST|/public/sso/keepalive|72DE4B61-ac57-c4eb-c757-dde94f4866|cf17546a-bd9a-4f52-829e-ac78298510b8|US|GCB|MBK||METRICS|ResponseCode=200|ResponseTime=44","origin":"rep","source_instance":"0","source_type":"APP","time":"2017-01-27T20:59:59Z","timestamp":1485550799982650792}

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...