Hi Team,
I have below three logs events which gets the statuscode of 200,400,500 in different logs.
Need help to find the status code error rate for all the diiferent status code with the respective time
Event 1:400 error
{ [-]
body: { [-]
message: [ [-]
{ [-]
errorMessage: must have required property 'objectIds'
field: objectIds
}
{ [-]
errorMessage: must be equal to one of the allowed values : [object1,object2]
field: objectType
}
statusCode: 400
type: BAD_REQUEST_ERROR
}
headers: { [-]
Access-Control-Allow-Origin: *
Content-Type: application/json
}
hostname:
level: 50
msg: republish error response
statusCode: 400
time: ****
}
Event 2:500 Error
{ [-]
awsRequestId:
body: { [-]
message: Unexpected token “ in JSON at position 98
}
headers: { [-]
Access-Control-Allow-Origin: *
Content-Type: application/json
}
msg: reprocess error response
statusCode: 500
time: ***
}
Event 3:Success
{ [-]
awsRequestId:
body: { [-]
message: republish request has been submitted for [1] ids
}
headers: { [-]
Access-Control-Allow-Origin: *
Content-Type: application/json
}
}
headers: { [+]
}
msg: republish success response
statusCode: 200
time: ***
}
Hi @nithys,
please try this regex:
| rex "(?ms)statusCode: (?<status_code>\d+)"
that you can test at https://regex101.com/r/Nfgp6r/1
Ciao.
Giuseppe
Hi @nithys,
this seems to be a json format so you can extract all fields using INDEXED_EXTRACTIONS = JSON in the sourcetype or using the spath command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Spath).
Then you can use the timechart command to have the time distribution od the error codes.
Ciao.
Giuseppe
Hi @gcusello
I tried below query but its not fetching the correct counts of each statuscode...If i want to capture other statuscode greater than 400 ,>500 how should i include it
index="**" source="****"
| rex "\"statusCode\":(?<statusCode>[\d]*)"
| stats count by statusCode | eval statusCode =case(statusCode="200","success",statusCode="500","Internal Server Error",statusCode="400","Bad Request") | table statusCode,count
Hi @nithys,
please try this regex:
| rex "(?ms)statusCode: (?<status_code>\d+)"
that you can test at https://regex101.com/r/Nfgp6r/1
Ciao.
Giuseppe
Hi @gcusello
I am able to get different status code in a pie chart ,if i also want to append an another query count to get the "totalrequest" ....its not adding to pie chart
How can i add below in pie chart...lets say
the total request count say 3
success 200-2(green color)
400 error-1(pink color)
500 error-1(red color)
index="1**" source="2***"
| rex "(?ms)statusCode: (?<status_code>\d+)" | stats count by statusCode
| appendcols [search index="1**" source="2**" "republish event"| stats count by event.body | stats count | rename count as totalrequest]
Hi @nithys,
don' add a new question (even if on the same topic) to a closed question, anyway what's the issue in your search?
anyway, you don't need to have two stats command in the secondary search:
index="1**" source="2***"
| rex "(?ms)statusCode: (?<status_code>\d+)"
| stats count by statusCode
| appendcols [ search
index="1**" source="2**" "republish event"
| stats dc(event.body) AS totalrequest ]
Ciao.
Giuseppe
index="1**" source="2***" | rex "(?ms)statusCode: (?<status_code>\d+)" | stats count by statusCode | appendcols [ search index="1**" source="2**" "republish event" | stats dc(event.body) AS totalrequest ]
Hi @gcusello With the above query i get only statuscode count either 200 or 400....but the append search totalrequest is not mapped to a color
Ok, I don't understand why you want to do this, anyway, please try this:
index="1**" source="2***"
| rex "(?ms)statusCode: (?<statusCode>\d+)"
| stats count by statusCode
| append [ search
index="1**" source="2**" "republish event"
| stats dc(event.body) AS totalrequest
| eval statusCode="totalrequest"
| fields statusCode totalrequest ]
beware that statusCode muste be the same in rex and stats!
Ciao.
Giuseppe
Hi @gcusello
With the provided query i am able to get a column chart which shows total no of request,200 statuscode,400 statuscode,500 statuscode.But how can i show 200 as green ,400 as orange,500 as red...
Tried below option inside the source but unable to get the colors in column chart...
<option name="charting.chart">column</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.drilldown">all</option>
<option name="charting.fieldColors">{"200":0xFF0000,201:0x33ff00,204:0x66ff00,303:0xffaa00,304:0xffff00,404:0xff0000}</option>
<option name="charting.legend.placement">right</option>
Hi @nithys,
this is a different question even if on the same search and you can find many answers to this question in Community ans, as always I hint to open a new question in Community to have a faster and probably better answer.
Anyway, you can assign fixed colours to you values by GUI or on the dashboard code:
by GUI opening you dashboard in Edit mode and clicking on the pencil on the right top of the panel, then choosing colours.
by code customizing for your requirements this code:
<option name="charting.fieldColors">{"Total":"Total",0x333333,"400":0xd93f3c,"200Healthy":0x65a637}</option>
Ciao.
Giuseppe
Thanks @gcusello
Below query matches the correct count of all the statuscode
" rex "(?ms)statusCode: (?<status_code>\d+)" | stats count by statusCode | table statusCode,count"