Solved: count after group http_status and table with clien...

lim2 · ‎08-02-2017

Want to label sc_status <= 304 as Ok and sc_status >= 400 as Error and get the Ok and Error counts and table the client_ip, count(Ok) , count(Error). I did something like:
index=web sourcetype=iis |if (sc_status<=304, "Ok", "Error")|stats count(Ok) as Pages, count(Error) as Error by client_ip
and
index=web sourcetype=iis |stats count(sc_status <= 302) as Pages, count(sc_status >= 400) as Error by client_ip but the counts are both 0 even though I see the sc_status of 200, 302 and 400, 403. Could someone advise? Thanks.

gcusello · ‎08-02-2017

HI
try something like this:

index=web sourcetype=iis 
| stats count(eval(if(sc_status <= 304, "OK", NULL))) AS OK count(eval(if(sc_status >= 400, "Error", NULL))) AS Error by client_ip

Bye.
Giuseppe

View solution in original post

gcusello · ‎08-02-2017

HI
try something like this:

index=web sourcetype=iis 
| stats count(eval(if(sc_status <= 304, "OK", NULL))) AS OK count(eval(if(sc_status >= 400, "Error", NULL))) AS Error by client_ip

Bye.
Giuseppe

count after group http_status and table with client_ip, counts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation