Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find the totals of status codes per uri per day?

Arjang
Explorer
‎01-28-2018 11:28 PM

I am using the following search:

( sourcetype=iis ) sc_status=500 |stats count by  uri_path sc_status date

but that only gives me the failures, I want the successes for them as well i.e. sc_status=200 or other sc_status

If I try :

( sourcetype=iis ) |stats count by  uri_path sc_status date

I get too many results that had never had 400, 500, i.e. the ur_path s that always were successful,
I just want the 

( sourcetype=iis ) |stats count by  uri_path sc_status date

results sets that contain at least one sc_status >400

I tried using join, inner join (1)

 ( sourcetype=iis ) sc_status=500 |stats count by  uri_path sc_status date

with (2)

 ( sourcetype=iis ) |stats count by  uri_path sc_status date

I got this :

( sourcetype=iis ) sc_status=500 |fields  uri_path | join uri_path [search sourcetype=iis | fields uri_path,sc_status,date ] | stats count by uri_path , sc_status , date| sort -count

but the result does not contain any sc_status = 500

The result should be (2) where each one of the uri_path was in (1).
That means sc_status = 500 should also be included in the final result.
Maybe there is an alternative way of finding the totals of status codes per uri per day. I would be happy with just a result like so

uri_path,sc_"statusLessThan400","sc_statusGreaterThanOrEqualTo400",date
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-29-2018 12:33 AM

@Arjang, please try the following:

 sourcetype=iis ) sc_status=*
| stats count(eval(sc_status=200)) as Success count(eval(sc_status!=200)) as Failures by  uri_path sc_status date
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-29-2018 12:33 AM

@Arjang, please try the following:

 sourcetype=iis ) sc_status=*
| stats count(eval(sc_status=200)) as Success count(eval(sc_status!=200)) as Failures by  uri_path sc_status date
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Arjang
Explorer
‎01-29-2018 12:52 AM

Thank you!

I ended up using :

(sourcetype=iis ) sc_status=* CurrentWork | stats count(eval(sc_status=200)) as Success count(eval(sc_status!=200)) as Failures by  uri_path date | search Failures > 0 | fields uri_path, date, Success,Failures
Reply
Solved! Jump to solution

niketn
Legend
‎01-29-2018 01:17 AM

Great... I am sorry I think I missed the second part of your question. Glad you figured it out 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Arjang
Explorer
‎01-29-2018 01:41 AM

you did the hardest part, once there are results filtering was easy.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...