Splunk Search

Report showing total events combined with status types?

jcott28
Explorer

I'm new to all of this and can mainly do nothing but some simple searches. But if I wanted to create a graph showing the total connections as one line, then the total 503's as another, total 404's as another, etc... how would I go about doing that?

Basically, I can create each individual graph, but I would like to have them overlayed over time.

What I'm trying to do is see if the total requests made on an apache server correlates to when the bulk of the errors occur. I expect that when the first line above (total) goes up high, the lines of the errors also go up at the same time.

Is this sort of graph possible in Splunk?

Tags (2)
0 Karma

Ayn
Legend

There are several ways in which you can achieve this, for instance you could use a stacked area graph. Let's say that your web logs have the sourcetype weblogs and that the field httpResponseCode is being extracted from all the log events. In this case, you'd do:

sourcetype="weblogs" | timechart count by httpResponseCode

This gives you a count of each response code over time. By going into the report builder and choosing an area chart with stacked areas, the total height of the area over time will be equivalent to the total amount of requests, and you can see how much each response code contributes to that total.

Edit: additionally, if you prefer to solve it another way and want a method to get the total count in addition to the count for each individual response code, add | addtotals to your search command. It will add a "Total" column to your chart containing the total count.

0 Karma

jcott28
Explorer

Perfect! That's exactly what I needed. thanks!

0 Karma

Ayn
Legend

See the added info. You'll get a total count either by stacking the chart or using addtotals. Or did I misunderstand your question?

0 Karma

jcott28
Explorer

This I have done. But this just shows the different response codes not correlated to total traffic. I need this one + adding in another line tracking total traffic (i.e. all response codes combined)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...