Re: How to produce a table that can display 5xx st...

ccntech · ‎03-11-2022

I am trying to produce a table that can display 5xx status code counts per host over a timeframe (this will eventually be month, but for the purpose of this example will be by day).

I downloaded the tutorial data with apache logs and can see the data spans 8 days:

source="access.log" host="www*" sourcetype="access_combined_wcookie" status=500
|timechart span=1d count by host

I want to take this and analyze web server log files at work and increase span to 1 month. Is there a way for me to pivot /transform this data to get a breakdown that would provide the following table:

Daily 500 status code dashboard

host	02-25-22	02-26-22	02-27-22	etc	03-03-22
www1	13	39	35	etc	28
www2	24	31	45	etc	35
www3	18	51	34	etc	36

As stated above, I would like this by MONTH: Jan, Feb Mar etc so teams can glance at this table and see which hosts are improving/degrading or meeting SLOs etc. I do not want to create a bar chart, but rather keep the above format.

yuanliu · ‎03-12-2022

The command you are looking for is transpose. (I recently did the same.) Instead of timechart, start with chart. The following uses 1 week as example, and anchors at beginning of week. (C.f., How to specify relative time modifiers.)

source="access.log" host="www*" sourcetype="access_combined_wcookie" status=500
| bin span=1w@w _time
| chart count over _time by host
| eval _time=strftime(_time, "%m-%d-%y")
| transpose 0 header_field=_time column_name=host

ccntech · ‎03-12-2022

This is perfect! Thank you for such a quick reply!

ITWhisperer · ‎03-11-2022

Try this:

| timechart span=1mon count by host

How to produce a table that can display 5xx status code counts per host over a timeframe?

stats

table

Introducing the Splunk Developer Program!

Splunkbase Year in Review 2024

Developer Spotlight with Brett Adams

Are you a member of the Splunk Community?