Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the status wise data

SG
Path Finder
‎11-29-2021 10:50 PM

Hi,

I wrote below query which gives me data per service per min...

index=**** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | stats count AS Requests by service, Hour

Below is the screenshot for same

SG_0-1638254814390.png

 

the requests i wanted to split based on HTTP status code (200, 404, 302, 500 etc). I am using below query for same but i am unabe to get the data.

index=*** | bucket _time span=1m | convert ctime(_time) AS Hour timeformat="%H:%M" | chart count AS Requests,status as HTTP_status by service, Hour

error screen shot - 

SG_1-1638254934936.png

 

Can someone please help me how to get the number of requests by status code?

Thanks,

SG

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 11:28 PM

Not with chart - you can use stats however

| stats count by Hour service HTTP_status

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 11:21 PM

chart (or timechart as @PickleRick  suggested) doesn't work with 4 dimensions (time, service, status and count). if you want just status then use

| chart count AS Requests by HTTP_status, Hour

 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-30-2021 12:11 AM

@ITWhisperer Ahhh. You're right. I keep forgetting that and facepalm myself every so often 😄

Indeed, that's one of the cases where binning with time actually makes sense.

0 Karma
Reply
Solved! Jump to solution

SG
Path Finder
‎11-29-2021 11:25 PM

In this case i will not be able to bifurcate my stats service wise.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-29-2021 11:28 PM

Not with chart - you can use stats however

| stats count by Hour service HTTP_status
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 11:03 PM

First things first - you don't usually want to do bucketting and then stats by time because you have a specialized command for this - timechart

So your search may be rewritten simply as

index=***
| timechart span=1m count AS Requests status as HTTP_status by service
0 Karma
Reply
Solved! Jump to solution

SG
Path Finder
‎11-29-2021 11:07 PM

HI @PickleRick ,

Thanks for your response.

Above method also giving error as below..

SG_0-1638256025658.png

 

 

Thanks,

SG

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 11:10 PM

Ahhh, right. Forgot about that 🙂

Transforming commands need some form of aggregation function to be applied to fields. So you can't just give a simple field name. You can have count(status) or dc(status) or any other statistical function. In your case, I suppose values(status) will do.

Or if you want to further break down your results by status move the status from the aggregation to the "by" clause

| timechart span=1m count by status service

 EDIT: As @ITWhisperer already mentioned, this solution is wrong because of two separate dimension used for classifying events for stats. So we can either use manual binning and statsing or we have another solution - we can create an artificial combined dimension:

| eval servicestatus=service."-".status
| timechart span=1m count by servicestatus
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...