Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group status code in coloumn

chiddarthan17
Explorer
‎12-04-2024 11:37 AM

I need to display list of all failed status code in column by consumers

Final Result:

Consumers Errors Total_Requests Error_Percentage list_of_Status
Test 10 100 10  500 400 404

         

Is there a way we can display the failed status codes as well in of list of status coloumn

index=test | stats count(eval(status>399)) as Errors,count as Total_Requests by consumers | eval Error_Percentage=((Errors/Total_Requests)*100)
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-04-2024 04:46 PM

You need the eval like this

values(eval(if(status>399, status, null()))) as list_of_Status

otherwise the eval just returns a boolean type result, so you need to use if and assign the result.

You can also do it like this after the stats using mvmap

| eval list_of_Status=mvfilter(list_of_Status>=399)

View solution in original post

Reply
Solved! Jump to solution

chiddarthan17
Explorer
‎12-04-2024 03:12 PM

Thanks a lot. This works fine. Is there a way we can display only status which are greater than 399. Like (status>399)

i tried values(eval(status>399)) but it didn't work. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 12:55 PM

Try this query

index=test | stats count(eval(status>399)) as Errors,count as Total_Requests, values(Status) as list_of_Status by consumers 
| eval Error_Percentage=((Errors/Total_Requests)*100)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

chiddarthan17
Explorer
‎12-04-2024 03:26 PM

Thanks a lot. This works fine. Is there a way we can display only status which are greater than 399. Like (status>399)

i tried values(eval(status>399)) but it didn't work. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-04-2024 04:46 PM

You need the eval like this

values(eval(if(status>399, status, null()))) as list_of_Status

otherwise the eval just returns a boolean type result, so you need to use if and assign the result.

You can also do it like this after the stats using mvmap

| eval list_of_Status=mvfilter(list_of_Status>=399)
Reply
Solved! Jump to solution

chiddarthan17
Explorer
‎12-04-2024 05:03 PM

Thank you.This works perfectly. 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top