- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Report showing total events combined with stat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Report showing total events combined with status types?
I'm new to all of this and can mainly do nothing but some simple searches. But if I wanted to create a graph showing the total connections as one line, then the total 503's as another, total 404's as another, etc... how would I go about doing that?
Basically, I can create each individual graph, but I would like to have them overlayed over time.
What I'm trying to do is see if the total requests made on an apache server correlates to when the bulk of the errors occur. I expect that when the first line above (total) goes up high, the lines of the errors also go up at the same time.
Is this sort of graph possible in Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are several ways in which you can achieve this, for instance you could use a stacked area graph. Let's say that your web logs have the sourcetype weblogs and that the field httpResponseCode is being extracted from all the log events. In this case, you'd do:
sourcetype="weblogs" | timechart count by httpResponseCode
This gives you a count of each response code over time. By going into the report builder and choosing an area chart with stacked areas, the total height of the area over time will be equivalent to the total amount of requests, and you can see how much each response code contributes to that total.
Edit: additionally, if you prefer to solve it another way and want a method to get the total count in addition to the count for each individual response code, add | addtotals to your search command. It will add a "Total" column to your chart containing the total count.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect! That's exactly what I needed. thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the added info. You'll get a total count either by stacking the chart or using addtotals. Or did I misunderstand your question?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This I have done. But this just shows the different response codes not correlated to total traffic. I need this one + adding in another line tracking total traffic (i.e. all response codes combined)
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
