Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract HTTP status codes in report?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ruchijain
New Member
06-17-2019
08:53 AM
Hi,
I know how to extract the HTTP Status from Splunk. But I need it in the below format which I am not able to do:
- If any status with 2% and 3% then it will show as "Success"
- Apart from that, it will show all the status codes (example 400, 428, 430, 500, 520 or anything )
I am able to extract all the codes:
|eval status=case(like(status,"2%"),"2xx",like(status,"3%"),"3xx",like(status,"4%"),"4xx",like(status,"5%"),"5xx") | stats count by status | eventstats sum(count) as perc | eval perc=round(count*100/perc,2)
But in this, the table is like this:
status count perc
2xx 3154 96.63
3xx 44 1.35
4xx 66 2.02
If I remove the eval and like statement then it will show the result as below:
status count perc
200 2922 88.84
201 252 7.66
302 22 0.67
304 25 0.76
401 9 0.27
404 6 0.18
422 53 1.61
Whereas I want the result as below:
Status count perc
success(2X and 3X) 300 8.00
401 9 0.27
404 6 0.18
422 53 1.61
Can anyone help me? Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jnudell_2
Builder
06-17-2019
10:35 AM
If you want what you exactly wrote:
... [ you search ] ... | eval status = if(match(status, "^[23]\d\d"), "success(2X and 3X)", status) | top status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jnudell_2
Builder
06-17-2019
10:35 AM
If you want what you exactly wrote:
... [ you search ] ... | eval status = if(match(status, "^[23]\d\d"), "success(2X and 3X)", status) | top status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
06-17-2019
10:20 AM
@ruchijain Try below
<your base search>| eval status=if(like(status,"2%") OR like(status,"3%"),"Success",status) | stats count by status| eventstats sum(count) as perc | eval perc=round(count*100/perc,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-17-2019
09:11 AM
Try like this
your base search
|eval status=if(like(status,"2%") OR like(status,"3%"),"Success",status)
| top 0 status
The top command does what you want to do with your stats-eventstats-eval combo.
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Secure Your Future: Mastering Upgrade Readiness for Splunk 10
Spotlight: The Splunk Health Assistant Add-On
The Splunk Health Assistant Add-On is your ultimate companion ...
Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM
Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...
