Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the status wise data

SG
Path Finder
‎11-29-2021 10:50 PM

Hi,

I wrote below query which gives me data per service per min...

index=**** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | stats count AS Requests by service, Hour

Below is the screenshot for same

SG_0-1638254814390.png

 

the requests i wanted to split based on HTTP status code (200, 404, 302, 500 etc). I am using below query for same but i am unabe to get the data.

index=*** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | chart count AS Requests,status as HTTP_status by service, Hour

error screen shot - 

SG_1-1638254934936.png

 

Can someone please help me how to get the number of requests by status code?

Thanks,

SG

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 11:28 PM

Not with chart - you can use stats however

| stats count by Hour service HTTP_status

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 11:21 PM

chart (or timechart as @PickleRick  suggested) doesn't work with 4 dimensions (time, service, status and count). if you want just status then use

| chart count AS Requests by HTTP_status, Hour

 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-30-2021 12:11 AM

@ITWhisperer Ahhh. You're right. I keep forgetting that and facepalm myself every so often 😄

Indeed, that's one of the cases where binning with time actually makes sense.

0 Karma
Reply
Solved! Jump to solution

SG
Path Finder
‎11-29-2021 11:25 PM

In this case i will not be able to bifurcate my stats service wise.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 11:28 PM

Not with chart - you can use stats however

| stats count by Hour service HTTP_status
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 11:03 PM

First things first - you don't usually want to do bucketting and then stats by time because you have a specialized command for this - timechart

So your search may be rewritten simply as

index=***
| timechart span=1m count AS Requests status as HTTP_status by service
0 Karma
Reply
Solved! Jump to solution

SG
Path Finder
‎11-29-2021 11:07 PM

HI @PickleRick ,

Thanks for your response.

Above method also giving error as below..

SG_0-1638256025658.png

 

 

Thanks,

SG

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 11:10 PM

Ahhh, right. Forgot about that 🙂

Transforming commands need some form of aggregation function to be applied to fields. So you can't just give a simple field name. You can have count(status) or dc(status) or any other statistical function. In your case, I suppose values(status) will do.

Or if you want to further break down your results by status move the status from the aggregation to the "by" clause

| timechart span=1m count by status service

 EDIT: As @ITWhisperer already mentioned, this solution is wrong because of two separate dimension used for classifying events for stats. So we can either use manual binning and statsing or we have another solution - we can create an artificial combined dimension:

| eval servicestatus=service."-".status
| timechart span=1m count by servicestatus
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top