Splunk Search

How to get count for different values in a field when dealing with datamodels?

samakshkhatri
Engager

I have a Data Model called Web_Events with a root object called Access. 

There is a field in Access called 'status_category' with values "client error", "server error", "okay" or "other".

I am trying to list the count of events which have 'status_catgory' as "client error" and "server error" hour by hour

So I want to generate a table of following format

_timeclient_error_countserver_error_count
2022-01-26:17:30:00<count of client error><count of server error>
2022-01-26:18:30:00<count of client error><count of server error>

 

Can anyone help me with this?

The closest I could achieve was as following: 

_timeAccess.status_categoryerror_count
2022-01-26:17:30:00server error2
2022-01-26:18:30:00client error6
2022-01-26:18:30:00server error7

 

with help of this query: (status_code is another field which contains values of HTTP status codes)

| tstats count(Access.status_code) as error_count from datamodel=Web_Events.Access where Access.status_code!=200 earliest="01/26/2022:00:00:00" latest="02/02/2022:23:59:59" BY Access.status_category _time span=1h | table _time, Access.status_category, error_count | sort _time

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try adding:

| xyseries _time, Access.status_category, error_count

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try adding:

| xyseries _time, Access.status_category, error_count
0 Karma

samakshkhatri
Engager

This worked! Thanks a lot

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...