×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
cmarrott
Explorer
Member since: ‎06-30-2021
‎07-01-2021
Community Statistics
Posts 5
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎06-30-2021
Activity Feed
View All

Dashboard customization - change 500, 504 to 5xx c...

by in Dashboards & Visualizations
‎06-30-2021 11:28 AM
‎06-30-2021 11:28 AM
500 and 504 are shown here - but i'd like to condense them to one column="5xx" (same with 400, where all 4% responses would be shown under "4xx"     <panel> <table> <title>Functions Statistics by ResponseCode</title> <search base="base_search3"> <query> stats sum(count) as Count sum(S) as Success sum(F) as Failures avg(Avg_ResponseTime) as Average_ResponseTime by _time FNAME CODE | eval Availability=(Success/(Success+Failures))*100 | chart count by FNAME CODE </query> </search> <option name="count">15</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>     the above is the relevant code ... View more
Labels

Re: Error in 'eval' command: The expression is mal...

by in Splunk Search
‎06-30-2021 09:46 AM
‎06-30-2021 09:46 AM
  @ITWhisperer wrote: What is this   eval status=(status, "4%"),"4xx"   trying to do? Also, I am not sure you need to escape the backslash in the rex as you are probably trying to escape the d and I expect you don't really need a field that always has the text "HttpStatus" in   rex field=message "HttpStatus: (?&lt;status&gt;\d+)"     I'm not sure I understand. To clarify what the query is intending to do overall is  Search for a specific API, return all status codes of a specific type, display them in a piechart by % :   This is using the solution provided by @kamlesh_vaghela    ... View more

Re: Error in 'eval' command: The expression is mal...

by in Splunk Search
‎06-30-2021 09:36 AM
‎06-30-2021 09:36 AM
Confirmed this worked! Thank you!   ... View more

Re: Error in 'eval' command: The expression is mal...

by in Splunk Search
‎06-30-2021 09:32 AM
‎06-30-2021 09:32 AM
<query>"$ps_fn$" |rex field=message "(?&lt;Http&gt;HttpStatus): (?&lt;status&gt;\\d+)" | eval ActResult=case(status=400, "400", status=401, "401", status=402, "402", status=403, "403", status=404, "404") | stats count by ActResult | eval ActResult = count+" : "+ActResult</query> Is it better to do it like this? ... View more

Error in 'eval' command: The expression is malform...

by in Splunk Search
‎06-30-2021 09:22 AM
‎06-30-2021 09:22 AM
    <query>"$ps_fn$" |rex field=message "(?&lt;Http&gt;HttpStatus): (?&lt;status&gt;\\d+)" | eval status=(status, "4%"),"4xx" | stats count by status</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest>     I am trying to make a pie chart that shows all the 4xx errors, and then breaks them out by error - so x% was 401, y% was 402, etc. But i am getting Error in 'eval' command: The expression is malformed. Expected ). when i run this on the dashboard. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-01-2021 12:29 PM
Karma given to