Dashboards & Visualizations

How can I count the number of status codes and group them in a single category?

wjz
New Member

Hi,

I'd like to count the number of HTTP 2xx and 4xx status codes in responses, group them into a single category and then display on a chart. The count itself works fine, and I'm able to see the number of counted responses. I'm basically counting the number of responses for each API that is read from a CSV file.

However, I'm struggling with the problem that I'd like to count the number 2xx and 4xx statuses, sum them and group under a common label named: "non5xx" that refers to non-server status codes and display on a chart.

So far, I've come up with the following search query, but it fails to meet my expectations:

[| inputlookup api_names_file.csv | rename AppName to app_name | table app_name ] | chart count(eval(like(status, "2%"))) AS successResponses, count(eval(like(status, "4%"))) AS clientErrorResponses, count(eval(like(status, "5%"))) AS 5xx BY status | eval total = (successResponses + clientErrorResponses) | eventstats sum(total) AS non5xx by status | fields non5xx, 5x

Ideally, I'd like to end up with the following chart:
alt text

  • The non5xx group would refer to the summed number of all 2xx and 5xx status codes e.g. HTTP 200, 201 etc.
  • The 5xx group would describe server error status codes such as 500, 501 etc.

Is it possible to display such a common label consisting of the sum of two responses on an arbitrary chart e.g. a pie chart?

Thanks in advance

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @wjz,

I think it is the same question.

https://answers.splunk.com/answers/591435/counting-the-number-of-responses-and-displaying-in.html

have you tried these searches suggested in above question??

Search for the count of status like 2xx,4xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%"),"2xx",like(status, "4%"),"4xx",like(status, "5%"),"5xx") | stats count by status

Search for the count of status like non5xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%") OR like(status, "4%"),"non5xx",like(status, "5%"),"5xx") | stats count by status

Just change the visualization to the pie chart.

Happy Splunking

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @wjz,

I think it is the same question.

https://answers.splunk.com/answers/591435/counting-the-number-of-responses-and-displaying-in.html

have you tried these searches suggested in above question??

Search for the count of status like 2xx,4xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%"),"2xx",like(status, "4%"),"4xx",like(status, "5%"),"5xx") | stats count by status

Search for the count of status like non5xx & 5xx.

| inputlookup api_names_file.csv | eval status=case(like(status, "2%") OR like(status, "4%"),"non5xx",like(status, "5%"),"5xx") | stats count by status

Just change the visualization to the pie chart.

Happy Splunking

0 Karma

wjz
New Member

Hi,

Yes, I've accidentally posted two questions. Of course, it solved my problems and it works like a charm.
Thank you once again! 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...