Splunk Search

How to edit my stats search of all HTTP error codes that is not returning any results?

deepak312
Explorer

I have this search which is not returning any result, I am not sure of the issue. Any help?

index=my_index status!=200 | stats count(status) as TOTAL_FAILURES | eval FAILURES=if(status!=200,1,0) | eval ERROR_TYPE="" | eval ERROR_TYPE=case(match(status, "401"), "401 UnAuthorized", match(status, "400"), "400 Bad Request", match(status, "502"), "502 Bad Gateway", match(status, "500"), "500 Internal Server Error", match(status, "404"), "404 Not Found", match(status, "403"), "403 Forbidden", match(status, "302"), "302 URL Redirection", match(status, "204"), "204 No Content") | stats sum(FAILURES) as FAILURES, count by ERROR_TYPE | eval FAILURE_RATE=(FAILURES/TOTAL_FAILURES)*100 | eval STATUS=case(FAILURE_RATE > 95, "RED", FAILURE_RATE > 50, "ORANGE", FAILURE_RATE < 51,"GREEN", 1=1, UNKNOWN) | table ERROR_TYPE, TOTAL_FAILURES, FAILURES, FAILURE_RATE, STATUS
0 Karma
1 Solution

lquinn
Contributor

Firstly, after the "stats count(status) as TOTAL_FAILURES" part at the beginning of your search, you will only be left with one field, TOTAL_FAILURES, which will have a numeric value of the number of events which contain the field status. The status field will no longer exist so all other evals after that won't work.

View solution in original post

0 Karma

lquinn
Contributor

Firstly, after the "stats count(status) as TOTAL_FAILURES" part at the beginning of your search, you will only be left with one field, TOTAL_FAILURES, which will have a numeric value of the number of events which contain the field status. The status field will no longer exist so all other evals after that won't work.

0 Karma

deepak312
Explorer

Thanks @Iquinn, this helped.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...