Re: How to sum changing values on a timechart?

ctallarico20 · ‎06-03-2013

Hi everyone, I've got a sample log that looks like
[2013-06-03 11:35:42:66 EDT] RESPONSES 200=17 503=5 401=2. The 200, 503, and 401 are http responses, and I'd like to make a timechart that sums them over time. Additionally, it won't always be 200, 503, and 401 - the next log could ouput just RESPONSES 200=24 or RESPONSES 404=21 503=3 400=2 How would I plot all these sums in a timechart?

sundareshr · ‎09-07-2016

Try this

... | table _time 1* 2* 3* 4* 5* 6* | untable _time http_response counts | timechart span=1h sum(counts) as counts by http_response

tgdvopab · ‎09-07-2016

Hi, try something like this:

eval count_200=if(200=17,1,0) | eval count_503=if(503=5,1,0) | eval count_401=if(401=2,1,0)

and then:

timechart sum(count*)

ctallarico20 · ‎06-03-2013

I want a stacked column graph, with each response code grouped. So no, a 400 is different than a 401 and a 404

bmacias84 · ‎06-03-2013

Would you like to group all 40x, 50x, 30x response codes together for charting or a line for each response code? It also look like your colums are dynamic, is this true?

How to sum changing values on a timechart?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!