Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

count two status by resource name

dreeck
Path Finder
‎01-24-2013 12:32 PM

hey All,

I'd like to produce a table or chart similar to the following:

---------- count(status=202) count(Status=404)
Resource 1 25 10
Resource 2 50 5
...

I'm getting close to what I want using this query;
sourcetype=access Status=404 OR Status=200 | stats c(Status) by Resource

but this gives me a chart that counts up all the caught status (202 and 404) in a single column.

Any ideas how I can seperate the 200s into seperate columns?

Extra credit: can I create a search that would isolate a time frame in which both 200s and 404s occur? For example, when the Splunk Natural Language release comes along, I'd want to say:
"Splunk, show me the most recent hour in which experienced both 200s and 404s"

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-24-2013 12:36 PM

use the chart command :
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Chart

sourcetype=access Status=404 OR Status=200 | chart count over Resource by Status

View solution in original post

Reply
Solved! Jump to solution

jonuwz
Influencer
‎01-24-2013 01:01 PM

This'll do it :

sourcetype=access Status=404 OR Status=200 | chart count over Resource by Status

example :

index=_internal sourcetype="splunkd_access" earliest=-1d | chart count over uri by status

To split this out into hourly data (using the example)

index=_internal sourcetype="splunkd_access" earliest=-1d
| bin _time span=1h
| eval uri=_time.";".uri
| chart count over uri by status
| rex field=uri "(?<_time>\d+);(?<uri>.*)"

To look for when 2 fields have data add (for example)

| where $404$>0 AND $200$> 0

(note I have to wrap the fields in $ signs so splunk knows these are field names and not raw numbers)

Now you can 

| sort - _time | head 1

To get the latest.

Reply
Solved! Jump to solution

dreeck
Path Finder
‎01-24-2013 01:28 PM

Awesome, thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-24-2013 12:36 PM

use the chart command :
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Chart

sourcetype=access Status=404 OR Status=200 | chart count over Resource by Status

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-24-2013 02:08 PM

Difficult to do after the chart, because the fields names are replaced by the fied values after the chart.

So you have to use a stats before, filter, then add a chart after for presentation.
sourcetype=access Status=404 OR Status=200
| stats count by Resource Status
| where count >0
| chart values(count) over Resource by Status

0 Karma
Reply
Solved! Jump to solution

dreeck
Path Finder
‎01-24-2013 12:41 PM

Awesome, I didn't know about Over.

How can I restrict the chart to resources with counts greater than 0?

0 Karma
Reply
Solved! Jump to solution

dreeck
Path Finder
‎01-24-2013 12:33 PM

Side note: if I use this
sourcetype=access Status=404 OR Status=200 | stats c(Status=200), c(Status=404) by Resource

I get the chart format I want, but the counts are always zero.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...