Solved: count after group http_status and table with clien...

lim2 · ‎08-02-2017

Want to label sc_status <= 304 as Ok and sc_status >= 400 as Error and get the Ok and Error counts and table the client_ip, count(Ok) , count(Error). I did something like:
index=web sourcetype=iis |if (sc_status<=304, "Ok", "Error")|stats count(Ok) as Pages, count(Error) as Error by client_ip
and
index=web sourcetype=iis |stats count(sc_status <= 302) as Pages, count(sc_status >= 400) as Error by client_ip but the counts are both 0 even though I see the sc_status of 200, 302 and 400, 403. Could someone advise? Thanks.

gcusello · ‎08-02-2017

HI
try something like this:

index=web sourcetype=iis 
| stats count(eval(if(sc_status <= 304, "OK", NULL))) AS OK count(eval(if(sc_status >= 400, "Error", NULL))) AS Error by client_ip

Bye.
Giuseppe

View solution in original post

gcusello · ‎08-02-2017

HI
try something like this:

index=web sourcetype=iis 
| stats count(eval(if(sc_status <= 304, "OK", NULL))) AS OK count(eval(if(sc_status >= 400, "Error", NULL))) AS Error by client_ip

Bye.
Giuseppe

count after group http_status and table with client_ip, counts

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users