Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to produce a table that can display 5xx status code counts per host over a timeframe?

ccntech
Explorer
‎03-11-2022 06:05 PM

I am trying to produce a table that can display 5xx status code counts per host over a timeframe (this will eventually be month, but for the purpose of this example will be by day).

I downloaded the tutorial data  with apache logs and can see the data spans 8 days:

source="access.log" host="www*" sourcetype="access_combined_wcookie" status=500
|timechart span=1d count by host

I want to take this and analyze web server log files at work and increase span to 1 month. Is there a way for me to pivot /transform this data to get a breakdown that would provide the following table:

Daily 500 status code dashboard

host 02-25-22 02-26-22 02-27-22 etc 03-03-22
www1 13 39 35 etc 28
www2 24 31 45 etc 35
www3 18 51 34 etc 36

 

As stated above, I would like this by MONTH: Jan, Feb Mar etc so teams can glance at this table and see which hosts are improving/degrading or meeting SLOs etc. I do not want to create a bar chart, but rather keep the above format.

 

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-12-2022 12:16 AM

The command you are looking for is transpose. (I recently did the same.)  Instead of timechart, start with chart. The following uses 1 week as example, and anchors at beginning of week. (C.f., How to specify relative time modifiers.)

source="access.log" host="www*" sourcetype="access_combined_wcookie" status=500
| bin span=1w@w _time
| chart count over _time by host
| eval _time=strftime(_time, "%m-%d-%y")
| transpose 0 header_field=_time column_name=host

 

Tags (2)
Reply

ccntech
Explorer
‎03-12-2022 05:08 AM

This is perfect! Thank you for such a quick reply! 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2022 11:36 PM

Try this:

| timechart span=1mon count by host
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...