Re: How to sum changing values on a timechart?

ctallarico20 · ‎06-03-2013

Hi everyone, I've got a sample log that looks like
[2013-06-03 11:35:42:66 EDT] RESPONSES 200=17 503=5 401=2. The 200, 503, and 401 are http responses, and I'd like to make a timechart that sums them over time. Additionally, it won't always be 200, 503, and 401 - the next log could ouput just RESPONSES 200=24 or RESPONSES 404=21 503=3 400=2 How would I plot all these sums in a timechart?

sundareshr · ‎09-07-2016

Try this

... | table _time 1* 2* 3* 4* 5* 6* | untable _time http_response counts | timechart span=1h sum(counts) as counts by http_response

tgdvopab · ‎09-07-2016

Hi, try something like this:

eval count_200=if(200=17,1,0) | eval count_503=if(503=5,1,0) | eval count_401=if(401=2,1,0)

and then:

timechart sum(count*)

ctallarico20 · ‎06-03-2013

I want a stacked column graph, with each response code grouped. So no, a 400 is different than a 401 and a 404

bmacias84 · ‎06-03-2013

Would you like to group all 40x, 50x, 30x response codes together for charting or a line for each response code? It also look like your colums are dynamic, is this true?

How to sum changing values on a timechart?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation