Solved: Splunk queries

saidAb · ‎04-30-2024

Hi all,

A query, can calculate http calls, success responses and error response. I need an addition to the query to get how many requests are without response. I mean calls - success_respnses - erros_rsponse = null_responses.

Some good idea bout this? Thanks in advance!

ITWhisperer · ‎04-30-2024

index="xxxx" sourcetype="xxxxx" message.request_path!=*/healthCheck

          | fillnull value=0 backend_time

          | stats count(eval('message.direction'="request")) as Calls, count(eval('message.response_code'="200")) as Success, count(eval('message.response_code'!="200")) as Error
| eval "No response"=Calls-Success-Error

View solution in original post

gcusello · ‎04-30-2024

Hi @saidAb ,

if you could share your search, it's easier to help you, anyway, I suppose that you are using eval instats, in this case, add the total count of events and calcuate as difference from this value.

e.g.

<your_search>
| stats
    count(eval(status="success")) success_count
    count(eval(status="failed")) failed_count
    count
| eval others=count-success_count-failed_count

Ciao.

Giuseppe

ITWhisperer · ‎04-30-2024

It depends on your data. Please can you share some sample anonymised represntative events in a code block so we can see what you are dealing with.

saidAb · ‎04-30-2024

Thank you very match fro helping me!

This works now fine!

Have nice day!

saidAb · ‎04-30-2024

index="xxxx" sourcetype="xxxxx" message.request_path!=*/healthCheck

| fillnull value=0 backend_time

| stats count(eval('message.direction'="request")) as Calls, count(eval('message.response_code'="200")) as Success, count(eval('message.response_code'!="200")) as Error

E.g.

On the resuts, I see: Calls 27; Success 11; Error 6

I need also to see in the results, that there was no responses for 10 calls (null_resposes) as well.

ITWhisperer · ‎04-30-2024

index="xxxx" sourcetype="xxxxx" message.request_path!=*/healthCheck

          | fillnull value=0 backend_time

          | stats count(eval('message.direction'="request")) as Calls, count(eval('message.response_code'="200")) as Success, count(eval('message.response_code'!="200")) as Error
| eval "No response"=Calls-Success-Error

saidAb · ‎04-30-2024

Super! Thanks!

saidAb · ‎04-30-2024

Thanks!

This works partially very good. It provides in the results all calls, success, errors and no_responses (for the calls where no_response happens) . However it ignores other calls where requests and responses are equal.

saidAb · ‎04-30-2024

Resolved. It works now correctly. I added 'by ...' and I see all the results.

Thank you very match!!!

gcusello · ‎04-30-2024

hi @saidAb ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

saidAb · ‎04-30-2024

Gratie Giuseppe!

See you next time!

Have a nice day.

Splunk queries

count

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?