Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group status code in coloumn

chiddarthan17
Explorer
‎12-04-2024 11:37 AM

I need to display list of all failed status code in column by consumers

Final Result:

Consumers Errors Total_Requests Error_Percentage list_of_Status
Test 10 100 10  500 400 404

         

Is there a way we can display the failed status codes as well in of list of status coloumn

index=test | stats count(eval(status>399)) as Errors,count as Total_Requests by consumers | eval Error_Percentage=((Errors/Total_Requests)*100)
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-04-2024 04:46 PM

You need the eval like this

values(eval(if(status>399, status, null()))) as list_of_Status

otherwise the eval just returns a boolean type result, so you need to use if and assign the result.

You can also do it like this after the stats using mvmap

| eval list_of_Status=mvfilter(list_of_Status>=399)

View solution in original post

Reply
Solved! Jump to solution

chiddarthan17
Explorer
‎12-04-2024 03:12 PM

Thanks a lot. This works fine. Is there a way we can display only status which are greater than 399. Like (status>399)

i tried values(eval(status>399)) but it didn't work. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2024 12:55 PM

Try this query

index=test | stats count(eval(status>399)) as Errors,count as Total_Requests, values(Status) as list_of_Status by consumers 
| eval Error_Percentage=((Errors/Total_Requests)*100)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

chiddarthan17
Explorer
‎12-04-2024 03:26 PM

Thanks a lot. This works fine. Is there a way we can display only status which are greater than 399. Like (status>399)

i tried values(eval(status>399)) but it didn't work. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-04-2024 04:46 PM

You need the eval like this

values(eval(if(status>399, status, null()))) as list_of_Status

otherwise the eval just returns a boolean type result, so you need to use if and assign the result.

You can also do it like this after the stats using mvmap

| eval list_of_Status=mvfilter(list_of_Status>=399)
Reply
Solved! Jump to solution

chiddarthan17
Explorer
‎12-04-2024 05:03 PM

Thank you.This works perfectly. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...