Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the status code status code

mrafiq17
Explorer
‎05-08-2019 01:04 PM

I have written the following query to calculate the number of response code with api and their respective http status and calculate the total number of failure and success count.

host=abc-a-fr-* source=*access..log* /api/* |eval status1=status|eval file=urldecode(file)| stats count AS Total count(eval(status<=399)) AS Success BY file| eval Failure = Total - Success | eval Percent_Failure=round((Failure/ Total) * 100, 1)| eval Percent_Success=round((Success/ Total) * 100, 1) |table file Total Success Percent_Success Percent_Failure|where NOT match(file,"\d+$$$$")

And the following is the output
file Total Success Percent_Success Percent_Failure
currencies 2 0 0.0 100.0
OrderId 7 0 0.0 100.0
addressId 3 0 0.0 100.0
deliveryslot 205961 5956 2.9 97.1

If i group the count by status,if give me completely different data, what i would like to add is the status in the table, but when i put the status field in the table there is no data

Below is what i would like to achieve
file Status Total Success Percent_Success Percent_Failure
currencies 503 2 0 0.0 100.0
OrderId 401 7 0 0.0 100.0
addressId 503 3 0 0.0 100.0
deliveryslot 400 205961 5956 2.9 97.1

How do I achieve this, please help me

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-09-2019 08:28 AM

Try this:

host=abc-a-fr-* source=*access..log* /api/*
| eval file=urldecode(file)
| where NOT match(file,"\d+$$$$")
| eval status=coalesce(status, "UNKNOWN")
| stats values(status) As Status count AS Total count(eval(status<=399)) AS Success BY file
| eval Failure = Total - Success
| eval Percent_Failure=round((Failure/Total) * 100, 1)
| eval Percent_Success=100 - Percent_Failure
| table file Status Total Success Percent_Success Percent_Failure
0 Karma
Reply

koshyk
Super Champion
‎05-08-2019 02:55 PM

Its because, status is removed at your stats command

host=abc-a-fr-* source=*access..log* /api/* 
|eval status1=status
|eval file=urldecode(file)
| stats count AS Total count(eval(status<=399)) AS Success BY file, status
| eval Failure = Total - Success 
| eval Percent_Failure=round((Failure/ Total) * 100, 1)
| eval Percent_Success=round((Success/ Total) * 100, 1) 
|table file status Total Success Percent_Success Percent_Failure|where NOT match(file,"\d+$$$$")
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...