Splunk Search

How to edit my stats search of all HTTP error codes that is not returning any results?

deepak312
Explorer

I have this search which is not returning any result, I am not sure of the issue. Any help?

index=my_index status!=200 | stats count(status) as TOTAL_FAILURES | eval FAILURES=if(status!=200,1,0) | eval ERROR_TYPE="" | eval ERROR_TYPE=case(match(status, "401"), "401 UnAuthorized", match(status, "400"), "400 Bad Request", match(status, "502"), "502 Bad Gateway", match(status, "500"), "500 Internal Server Error", match(status, "404"), "404 Not Found", match(status, "403"), "403 Forbidden", match(status, "302"), "302 URL Redirection", match(status, "204"), "204 No Content") | stats sum(FAILURES) as FAILURES, count by ERROR_TYPE | eval FAILURE_RATE=(FAILURES/TOTAL_FAILURES)*100 | eval STATUS=case(FAILURE_RATE > 95, "RED", FAILURE_RATE > 50, "ORANGE", FAILURE_RATE < 51,"GREEN", 1=1, UNKNOWN) | table ERROR_TYPE, TOTAL_FAILURES, FAILURES, FAILURE_RATE, STATUS
0 Karma
1 Solution

lquinn
Contributor

Firstly, after the "stats count(status) as TOTAL_FAILURES" part at the beginning of your search, you will only be left with one field, TOTAL_FAILURES, which will have a numeric value of the number of events which contain the field status. The status field will no longer exist so all other evals after that won't work.

View solution in original post

0 Karma

lquinn
Contributor

Firstly, after the "stats count(status) as TOTAL_FAILURES" part at the beginning of your search, you will only be left with one field, TOTAL_FAILURES, which will have a numeric value of the number of events which contain the field status. The status field will no longer exist so all other evals after that won't work.

0 Karma

deepak312
Explorer

Thanks @Iquinn, this helped.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...