Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the status wise data

SG
Path Finder
‎11-29-2021 10:50 PM

Hi,

I wrote below query which gives me data per service per min...

index=**** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | stats count AS Requests by service, Hour

Below is the screenshot for same

SG_0-1638254814390.png

 

the requests i wanted to split based on HTTP status code (200, 404, 302, 500 etc). I am using below query for same but i am unabe to get the data.

index=*** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | chart count AS Requests,status as HTTP_status by service, Hour

error screen shot - 

SG_1-1638254934936.png

 

Can someone please help me how to get the number of requests by status code?

Thanks,

SG

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 11:28 PM

Not with chart - you can use stats however

| stats count by Hour service HTTP_status

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 11:21 PM

chart (or timechart as @PickleRick  suggested) doesn't work with 4 dimensions (time, service, status and count). if you want just status then use

| chart count AS Requests by HTTP_status, Hour

 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-30-2021 12:11 AM

@ITWhisperer Ahhh. You're right. I keep forgetting that and facepalm myself every so often 😄

Indeed, that's one of the cases where binning with time actually makes sense.

0 Karma
Reply
Solved! Jump to solution

SG
Path Finder
‎11-29-2021 11:25 PM

In this case i will not be able to bifurcate my stats service wise.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 11:28 PM

Not with chart - you can use stats however

| stats count by Hour service HTTP_status
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 11:03 PM

First things first - you don't usually want to do bucketting and then stats by time because you have a specialized command for this - timechart

So your search may be rewritten simply as

index=***
| timechart span=1m count AS Requests status as HTTP_status by service
0 Karma
Reply
Solved! Jump to solution

SG
Path Finder
‎11-29-2021 11:07 PM

HI @PickleRick ,

Thanks for your response.

Above method also giving error as below..

SG_0-1638256025658.png

 

 

Thanks,

SG

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 11:10 PM

Ahhh, right. Forgot about that 🙂

Transforming commands need some form of aggregation function to be applied to fields. So you can't just give a simple field name. You can have count(status) or dc(status) or any other statistical function. In your case, I suppose values(status) will do.

Or if you want to further break down your results by status move the status from the aggregation to the "by" clause

| timechart span=1m count by status service

 EDIT: As @ITWhisperer already mentioned, this solution is wrong because of two separate dimension used for classifying events for stats. So we can either use manual binning and statsing or we have another solution - we can create an artificial combined dimension:

| eval servicestatus=service."-".status
| timechart span=1m count by servicestatus
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...