I'm new to all of this and can mainly do nothing but some simple searches. But if I wanted to create a graph showing the total connections as one line, then the total 503's as another, total 404's as another, etc... how would I go about doing that?
Basically, I can create each individual graph, but I would like to have them overlayed over time.
What I'm trying to do is see if the total requests made on an apache server correlates to when the bulk of the errors occur. I expect that when the first line above (total) goes up high, the lines of the errors also go up at the same time.
Is this sort of graph possible in Splunk?
There are several ways in which you can achieve this, for instance you could use a stacked area graph. Let's say that your web logs have the sourcetype
weblogs and that the field
httpResponseCode is being extracted from all the log events. In this case, you'd do:
sourcetype="weblogs" | timechart count by httpResponseCode
This gives you a count of each response code over time. By going into the report builder and choosing an area chart with stacked areas, the total height of the area over time will be equivalent to the total amount of requests, and you can see how much each response code contributes to that total.
Edit: additionally, if you prefer to solve it another way and want a method to get the total count in addition to the count for each individual response code, add
| addtotals to your search command. It will add a "Total" column to your chart containing the total count.
This I have done. But this just shows the different response codes not correlated to total traffic. I need this one + adding in another line tracking total traffic (i.e. all response codes combined)