I'm using a pretty straightforward query to see how many unique HTTP status codes are thrown from an IIS server during a given time period:
index=foo host=bar sourcetype=iis85
| top sc_status
The results are as follows:
sc_status count percent
401 95115 36.975773
302 91840 35.702623
200 70141 27.267179
404 140 0.054425
Adding the percentage values for each of the status codes together equals 100%.
I'd like to run the search across a longer timeframe (24 hours) and visualize on a line chart the percentages for each status code using a five minute aggregation. How can I accomplish this?
It sounds like a job for the timechart command. Here's one approach, but there may be others.
index=foo host=bar sourcetype=iis85
```Count events by status over 5-minute aggregations, taking only the top 10 ```
| timechart span=5m limit=10 useother=0 usenull=0 count by sc_status
```Get the total count for each time period ```
| addtotals label="Total" labelfield=Total
```Replace each result with a percentage of Total```
| foreach * [eval <<FIELD>> = round('<<FIELD>>'*100/Total, 2)]
```Remove the Total field```
| fields - Total
It sounds like a job for the timechart command. Here's one approach, but there may be others.
index=foo host=bar sourcetype=iis85
```Count events by status over 5-minute aggregations, taking only the top 10 ```
| timechart span=5m limit=10 useother=0 usenull=0 count by sc_status
```Get the total count for each time period ```
| addtotals label="Total" labelfield=Total
```Replace each result with a percentage of Total```
| foreach * [eval <<FIELD>> = round('<<FIELD>>'*100/Total, 2)]
```Remove the Total field```
| fields - Total
@richgalloway This gets me closer (timechart shows individual status codes...yay!), but adding up the percentage values from each status code for a given five minute period does not equal 100%. And, if I include the "total" field in the output, you'll note that it's consistently showing 100.00 as the value every five minutes:
_time 200 302 401 404 Total
2023-05-16 00:00:00 71.94 108.63 144.24 145.32 100.00
2023-05-16 00:05:00 71.94 108.63 144.24 145.32 100.00
2023-05-16 00:10:00 69.69 105.23 139.72 140.77 100.00
2023-05-16 00:15:00 69.93 105.59 140.21 141.26 100.00
I didn't account for field names that are integers. I've updated my answer.
Those pesky quotation marks...
That did the trick! Thank you for your help!