Solved: When searching for status errors, how to remove th...

skoelpin · ‎02-10-2015

I'm creating dashboards for the error status. We currently have 3 different statuses (200,404, and 0). The '200' status is the most common which accounts for ~13,000 while the Status '404' has a count of 5 and the Status '0' has a count of 2. I'm using a barchart to get a visualization of their frequencies and the 13,000 '404s' makes the other 2 statuses appear as they are zero.. How can I remove the 200 Status so I can just see the '404' and '0' statuses?

I tried using |outlier with no luck.. My current query is below

index=uv Status="| STATUS |* " | top Status

skoelpin · ‎02-10-2015

I ended up having to do this statically by using the limit=2 command.

Below is my query

index=uv Status="| STATUS |* |" | rare limit=2 Status

View solution in original post

skoelpin · ‎02-10-2015

I ended up having to do this statically by using the limit=2 command.

Below is my query

index=uv Status="| STATUS |* |" | rare limit=2 Status

ppablo · ‎02-10-2015

Have you tried adding Status!=200 to your search?

skoelpin · ‎02-10-2015

That doesn't work since the Status is enclosed in pipes. Any idea how I could get rid of the most frequent 200 call?

ppablo · ‎02-10-2015

hmm what does your table of results look like with your current search? Is there a "Status" column displaying values 200, 404 and 0 with their respective counts?

When searching for status errors, how to remove the most frequent error from results to properly display the others in a visualization?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life