Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a graph or table for the following query according to the Status Code ?? Please refer the result below.

JyotiP
Path Finder
‎08-29-2017 02:29 AM

{"StatusCode":200,"ReasonPhrase":"OK","Method":"POST","PathAndQuery":"}
{"StatusCode":404,"ReasonPhrase":"Not Found","Method":"GET","PathAndQuery":"}
{"Message":"Completed request to Create Position Events.","}.

For the above I have three categorize like status code 200, 400 and NONE. So I want to create a graph or count on the basis of Status Code. How to do it ??

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-29-2017 07:09 AM

This will get you a bar graph...

 your base search that gets the records you want with StatusCode and _time
 | fillnull value="None" StatusCode
 | stats count by StatusCode

This will get you a chart over time...

your base search that gets the records you want with StatusCode and _time
| fillnull value="None" StatusCode
| timechart count by StatusCode

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-29-2017 07:09 AM

This will get you a bar graph...

 your base search that gets the records you want with StatusCode and _time
 | fillnull value="None" StatusCode
 | stats count by StatusCode

This will get you a chart over time...

your base search that gets the records you want with StatusCode and _time
| fillnull value="None" StatusCode
| timechart count by StatusCode
0 Karma
Reply
Solved! Jump to solution

JyotiP
Path Finder
‎08-29-2017 07:13 AM

@DalJeanis, thanks for the update, will try the above two.

Reply
Solved! Jump to solution

niketn
Legend
‎08-29-2017 04:57 AM

@JyotiP, are these indexed as single event or separate events?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

JyotiP
Path Finder
‎08-29-2017 06:31 AM

@niketnilay, these are separate events.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-29-2017 07:12 AM

Please try the following:

<YourBaseSearch>
| rex field=_raw "{\"StatusCode\":(?<StatusCode>[^,]+),"
| stats count by StatusCode

Can you also add example for StatusCode None?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

JyotiP
Path Finder
‎08-29-2017 07:16 AM

@niketnilay, thanks for the update, will try the above.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...