Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When searching for status errors, how to remove the most frequent error from results to properly display the others in a visualization?

skoelpin
SplunkTrust
SplunkTrust
‎02-10-2015 12:46 PM

I'm creating dashboards for the error status. We currently have 3 different statuses (200,404, and 0). The '200' status is the most common which accounts for ~13,000 while the Status '404' has a count of 5 and the Status '0' has a count of 2. I'm using a barchart to get a visualization of their frequencies and the 13,000 '404s' makes the other 2 statuses appear as they are zero.. How can I remove the 200 Status so I can just see the '404' and '0' statuses?

I tried using |outlier with no luck.. My current query is below

index=uv Status="| STATUS |* " | top Status

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-10-2015 01:32 PM

I ended up having to do this statically by using the limit=2 command.

Below is my query

index=uv Status="| STATUS |* |" | rare limit=2 Status

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-10-2015 01:32 PM

I ended up having to do this statically by using the limit=2 command.

Below is my query

index=uv Status="| STATUS |* |" | rare limit=2 Status

Reply
Solved! Jump to solution

ppablo
Retired
‎02-10-2015 01:03 PM

Have you tried adding Status!=200 to your search?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎02-10-2015 01:14 PM

That doesn't work since the Status is enclosed in pipes. Any idea how I could get rid of the most frequent 200 call?

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎02-10-2015 01:30 PM

hmm what does your table of results look like with your current search? Is there a "Status" column displaying values 200, 404 and 0 with their respective counts?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...