Hi,
I have queries that I'd like to group HTTP Status codes together... (i.e. anything 200-299, or 300-399, or 400-499, or 500-599) . I have a dropdown that prompts the user to select
<input type="dropdown" token="http_code" searchWhenChanged="true">
<label>Select Http Status Code Range:</label>
<default>200</default>
<choice value="200">200 - 299</choice>
<choice value="300">300 - 399</choice>
<choice value="400">400 - 499</choice>
<choice value="500">500 - 599</choice>
</input>
but I'm not sure how to get the query working. This is what I have it it kinda works but it still returns other codes even thought the value is zero
index=itscom source=*access* |rex "HTTP\S+ (?<status>\d+)"|stats count(eval(searchmatch("status=2*"))) as "200-299" by status
Try this
index=itscom source=*access* |rex "HTTP\S+ (?<status>\d+)"
| bucket status span=100 | eval status=mvindex(split(status,"-"),0)."-".(tonumber(mvindex(split(status,"-"),1))-1)
| stats count by status
Try this
index=itscom source=*access* |rex "HTTP\S+ (?<status>\d+)"
| bucket status span=100 | eval status=mvindex(split(status,"-"),0)."-".(tonumber(mvindex(split(status,"-"),1))-1)
| stats count by status
Wow, tat is pretty good! It doesn't seem to get the 500-599 ones though.
nevermind, my fat fingers can't type so well 🙂
Lets try this than
index=itscom source=*access* |rex "HTTP\S+ (?\d+)"
| bucket status span=100 | eval status=mvindex(split(status,"-"),0)."-".(tonumber(mvindex(split(status,"-"),0))+99)
| stats count by status