- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to find HTTP error code count with percentage ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i am trying to find each application individual http error codes total count with percentage
here is the query which i was using to display some fields but it is with 200,how can we get other http codes with total count and percentage on time basis
index=myindex cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="ana-ccn-cap-sit" |eval StatusCode=if(ResponseCode=200,"Success","Failure")
|timechart span=1h count by StatusCode | addtotals|
eval Percent_Failure=round(Failure/ Total * 100, 1)| timechart span=1d sum(Total) as Total sum(Failure) as Failure sum(Success) as Success |
rename _time as Time |table Total Success Failure SuccessePercentage FailurePercentage
|eval FailurePercentage=round(Failure/ Total * 100, 1) |eval SuccessePercentage=round(Success/ Total * 100, 1)
|eval FailurePercentage=FailurePercentage+"%" |fieldformat Total=tostring(Total,"commas")| fieldformat Failure=tostring(Failure, "Commas") |eval SuccessePercentage=SuccessePercentage+"%"
| eval Time=strftime(Time,"%c")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this (it is very unclear what you mean "by application"):
index=myindex cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="ana-ccn-cap-sit"
| stats count AS Total count(eval(ResponseCode="200")) AS Success BY application
| eval Failure = Total - Success
| eval Percent_Failure=round((Failure/ Total) 100, 1)
| eval Percent_Success=100 - PercentFailure
| rename _time as Time
| table Total Success Failure SuccessePercentage FailurePercentage
| eval FailurePercentage=FailurePercentage+"%"
| fieldformat Total=tostring(Total,"commas")
| fieldformat Failure=tostring(Failure, "Commas")
|eval SuccessePercentage=SuccessePercentage+"%"
| eval Time=strftime(Time,"%c")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this (it is very unclear what you mean "by application"):
index=myindex cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="ana-ccn-cap-sit"
| stats count AS Total count(eval(ResponseCode="200")) AS Success BY application
| eval Failure = Total - Success
| eval Percent_Failure=round((Failure/ Total) 100, 1)
| eval Percent_Success=100 - PercentFailure
| rename _time as Time
| table Total Success Failure SuccessePercentage FailurePercentage
| eval FailurePercentage=FailurePercentage+"%"
| fieldformat Total=tostring(Total,"commas")
| fieldformat Failure=tostring(Failure, "Commas")
|eval SuccessePercentage=SuccessePercentage+"%"
| eval Time=strftime(Time,"%c")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks woodcock.
application means,we have applications like:
ana-ccn-cap-sit
ana-ccn-cap-sit1
ana-ccn-cap-sit2
ana-ccn-cap-sit3
i created a dropdown and i can pass application name in search query and get success,failure and respective percentages for each application.
with your help,i modified little bit and got the expected results
here is the total search
index=myindex cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="*" | stats count AS Total count(eval(ResponseCode="200")) AS Success BY cf_app_name
| eval Failure = Total - Success | eval Percent_Failure=round((Failure*100/ Total), 1) | eval Percent_Success=round((100 - Percent_Failure),1) | rename _time as Time
| table Time cf_app_name Total Success Failure Percent_Failure Percent_Success
| eval Percent_Failure=Percent_Failure. "%"
| fieldformat Total=tostring(Total,"commas")
| fieldformat Failure=tostring(Failure, "Commas")
|eval Percent_Success=Percent_Success. "%"
| eval Time=strftime(Time,"%c")
but i am not able to display time with above search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It what manner would you like time to be displayed? A single value per line with the earliest value? A table broken out by month?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be good if it is single value per line with the earliest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=myindex cf_org_name="ANA-CCN-CAP" cf_space_name="lab" cf_app_name="*"
| stats count AS Total first(_time) AS Time count(eval(ResponseCode="200")) AS Success BY cf_app_name
| eval Failure = Total - Success
| eval Percent_Failure=round((Failure*100/ Total), 1)
| eval Percent_Success=round((100 - Percent_Failure),1)
| table Time cf_app_name Total Success Failure Percent_Failure Percent_Success
| eval Percent_Failure=Percent_Failure. "%"
| fieldformat Total=tostring(Total,"commas")
| fieldformat Failure=tostring(Failure, "Commas")
|eval Percent_Success=Percent_Success. "%"
| eval Time=strftime(Time,"%c")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for your prompt response.now results looks good
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW, there was a mistake; when I wrote first, I should have written earliest. Please change that and it will be correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sure,we ran load test for 1 hour and can we show the success and failure rate between starting to ending time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post some sanitized example log events? Atm it's hard to help at all I guess.
Furthermore what do you expect as result? Please give an example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am expecting http error codes total count with percentage by application name on time basis
here is the sample log
<6>2017-01-27T20:59:59Z v204vtn756h doppler[19]: {"cf_app_id":"6b3e0a17-c90e-4921-8bb5-d01dbc4fc768","cf_app_name":"ana-ccn-cap-sit","cf_ignored_app":false,"cf_org_id":"fd12558e-ddaf-4dd2-91b3-85f28ccd27f3","cf_org_name":"ANA-CCN-CAP","cf_origin":"firehose","cf_space_id":"f9e2c3b9-ff7a-46b2-b359-9ec4ec13487b","cf_space_name":"lab","deployment":"cf","event_type":"LogMessage","ip":"168.72.186.200","job":"diego_cell-partition-ee9c6bad3843f162447f","job_index":"8","level":"info","message_type":"OUT","msg":" INFO [o-8080-exec-322] c.c.c.l.c.f.CCPLoggingContextFilter c.c.c.l.c.f.CCPLoggingContextFilter.postProcess(CCPLoggingContextFilter.java:187) - POST|/public/sso/keepalive|72DE4B61-ac57-c4eb-c757-dde94f4866|cf17546a-bd9a-4f52-829e-ac78298510b8|US|GCB|MBK||METRICS|ResponseCode=200|ResponseTime=44","origin":"rep","source_instance":"0","source_type":"APP","time":"2017-01-27T20:59:59Z","timestamp":1485550799982650792}
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
