- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Compare resp code count of two dates for each ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have query that return count of different resp codes of servers for 2 days
now need to find different between these two days.
current output:
Respcodes Srv1 Srv2 Srv3 Srv4 ….
200 80 10 100 42
400 12 55 11 0
500 11 34 2 8
…
expected output:
Date. Respcodes Srv1 Srv2 Srv3 Srv4 ….
2024/02/23 200 80 10 100 42
2024/02/24 200 70 19 11 11
2024/02/23 400 12 55 11 0
2024/02/24 400 44 14 46 89
2024/02/23 500 11 34 2 8
2024/02/24 500 11 34 2 9
…
if there is delta that calculate count of each server for two dates will be great!
any idea?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can only use three fields for xyseries, the x-axis, the y-axis and the series (names) - hence the name of the command! It is similar in that respect to the chart command. Try something like this
index="myindex"
| rex field=source "\/.*\/log\.(?<servername>\w+)."
| rex "R(?<Respcode>\[\d+\]\[\d+\])" | bin _time span=1d
| stats count as Respcode_count by Respcode,servername,_time
| eval {servername} = Respcode_count
| fields - servername Respcode_count
| stats values(*) as * by _time Respcode
| fillnull value=0- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your current output doesn't have any dates, so where are these going to come from?
Please provide some sample events?
Also, please provide your current search, so we can see how you are currently processing the events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer Here is the current query, and when i add _time in xyseries it will show resp ode as columns instead row::
index="myindex"
| rex field=source "\/.*\/log\.(?<servername>\w+)."
| rex "R(?<Respcode>\[\d+\]\[\d+\])" | bin _time span=1d
| stats count as Respcode_count by Respcode,servername,_time
| xyseries Respcode ,servername,Respcode_count
Current output:
Respcodes Srv1 Srv2 Srv3 Srv4 ….
200 80 10 100 42
400 12 55 11 0
500 11 34 2 8
…
expected output:
Date. Respcodes Srv1 Srv2 Srv3 Srv4 ….
2024/02/23 200 80 10 100 42
2024/02/24 200 70 19 11 11
2024/02/23 400 12 55 11 0
2024/02/24 400 44 14 46 89
2024/02/23 500 11 34 2 8
2024/02/24 500 11 34 2 9
…
any idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can only use three fields for xyseries, the x-axis, the y-axis and the series (names) - hence the name of the command! It is similar in that respect to the chart command. Try something like this
index="myindex"
| rex field=source "\/.*\/log\.(?<servername>\w+)."
| rex "R(?<Respcode>\[\d+\]\[\d+\])" | bin _time span=1d
| stats count as Respcode_count by Respcode,servername,_time
| eval {servername} = Respcode_count
| fields - servername Respcode_count
| stats values(*) as * by _time Respcode
| fillnull value=0- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer thanks work perfectly.
is there any way to show resp count numbers like this: 10,1K, 2M, …?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
