We have the following sample event data:
Timestamp=2018-11-27_14:32 Hostname=xxxxx Service=xxxxx Domain=xxxx JVM=xxxsvr01 IP=xx.xx.xx.xx ResponseCodes=200-16
In this event, the 200-16 represents the last minute of data, where there have been a total of 16 occurrences of HTTP 200 codes within the data that has been ingested. We then split this data into two separate Fields; code (200 HTTP code) and codecount (16 total occurrences of 200 HTTP code).
We do this with the following search:
index=sample
| rex field=ResponseCodes "(?<f1>[^-]\d+)"
| rex field=ResponseCodes "(?<f2>(?<=-)\d+)"
| eval fields=mvzip(f1,f2)
| mvexpand fields
| rex field=fields "(?<code>\d+),(?<codecount>\d+)"
| stats sum(codecount) by code
When we run this we are presented with Statistics of the following:
code: codecount:
200 117319
400 8
404 1
500 22
What we want to achieve is a way of:
Splitting off all Response Codes into their own Field, using something like:
eval ResponseCode2xx=case(like(code, "2%"), "2xx"), ResponseCode4xx=case(like(code, "4%"), "4xx"), ResponseCode5xx=case(like(code, "5%"), "5xx")
convert num(ResponseCode2xx), num(ResponseCode4xx), num(ResponseCode5xx)
Do a sum of codecount just like in the above, but instead of doing that by:
| stats sum(codecount) by code
Do something like:
| stats sum(codecount) by ResponseCode2xx, ResponseCode4xx, ResponseCode5xx
The result of this would be something like the below, when you click on the individual ResponseCode2xx, ResponseCode4xx, or ResponseCode5xx Fields from within a search, you are presented with:
Values Count
200 117319
Is this possible?
Basically, the reason we require this is so that we can use the metric of ResponseCode2xx/ResponseCode4xx/ResponseCode5xx within ITSI after splitting by the Entity of the JVM Field within a KPI Base Search, so that we would end up with a count of 2/4/500s under each JVM under specific metrics.
... View more