Solved: How to edit my stats search of all HTTP error code...

deepak312 · ‎11-01-2016

I have this search which is not returning any result, I am not sure of the issue. Any help?

index=my_index status!=200 | stats count(status) as TOTAL_FAILURES | eval FAILURES=if(status!=200,1,0) | eval ERROR_TYPE="" | eval ERROR_TYPE=case(match(status, "401"), "401 UnAuthorized", match(status, "400"), "400 Bad Request", match(status, "502"), "502 Bad Gateway", match(status, "500"), "500 Internal Server Error", match(status, "404"), "404 Not Found", match(status, "403"), "403 Forbidden", match(status, "302"), "302 URL Redirection", match(status, "204"), "204 No Content") | stats sum(FAILURES) as FAILURES, count by ERROR_TYPE | eval FAILURE_RATE=(FAILURES/TOTAL_FAILURES)*100 | eval STATUS=case(FAILURE_RATE > 95, "RED", FAILURE_RATE > 50, "ORANGE", FAILURE_RATE < 51,"GREEN", 1=1, UNKNOWN) | table ERROR_TYPE, TOTAL_FAILURES, FAILURES, FAILURE_RATE, STATUS

lquinn · ‎11-01-2016

Firstly, after the "stats count(status) as TOTAL_FAILURES" part at the beginning of your search, you will only be left with one field, TOTAL_FAILURES, which will have a numeric value of the number of events which contain the field status. The status field will no longer exist so all other evals after that won't work.

View solution in original post

lquinn · ‎11-01-2016

Firstly, after the "stats count(status) as TOTAL_FAILURES" part at the beginning of your search, you will only be left with one field, TOTAL_FAILURES, which will have a numeric value of the number of events which contain the field status. The status field will no longer exist so all other evals after that won't work.

deepak312 · ‎11-02-2016

Thanks @Iquinn, this helped.

How to edit my stats search of all HTTP error codes that is not returning any results?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms