Splunk Search

value of field

pudanelilita
Explorer

Hi,
I need to take data from field Source and calculate this data : http_400*100/Total+http_500*100/Total+http_300*100/Total
And show in chart. For now I have this:
| eval fields=split(_raw,"/")
| eval Source=mvindex(fields,3)
| rex field=_raw "(?ms)(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})"
| rangemap field=http_status_code http_200=200-299,http_300=300-399,http_400=400-499,http_500=500-599
| bucket _time span=1h
| chart count over _time by Source

Please advise!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will help. It's not clear what you want to show in the chart as there are three values available.

| rex field=source "(?http_[345]00)"
| bucket _time span=1h
| stats count as Total, count(eval(http_status_code="http_300")) as http_300, count((eval(http_status_code="http_400")) as http_400, count((eval(http_status_code="http_500")) as http_500 by _time, Source
| eval pcthttp_300=http_300*100/Total, pcthttp_400=http_400*100/Total, pcthttp_500=http_500*100/Total

---
If this reply helps you, an upvote would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What data do you want to take from field 'source'? Please provide samples.
Where do "http_400", "http_500", and "http_300" come from? What is "Total"?
The rex command is missing a field extraction. It appears to be looking for an IP address, but this is not mentioned in your question. Please advise.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

pudanelilita
Explorer

"http_400", "http_500", and "http_300" come from from event.
Basically I need output of source field, which have this "http_400" or "http_500"or "http_300'' and in the end just count it.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.