Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I display percentage of 500 errors on a per-URI basis?

kdankmyer
Engager
‎06-18-2010 06:48 PM

So, I have a big set of web stats for a given time in a search. Basically, I want it broken down by uri_path and for each uri_path, it tells me the number of hits that were returning status 500.

So, for example, let's say that I only had two uri_path values, as follows:

/fnord/hooray.cfm
/dronf/test.cfm

During the time frame, each of those only returned two status values: 200 and 500.

Let's say there was 100 hits for /fnord/hooray.cfm, out of which 20 were 500 errors. At that same time, there were 200 hits for /dronf/test.cfm, 100 of which were 500 errors. Ideally, the resulting search would show something like this:

/fnord/horray.cfm 20 20%
/fronf/test.cfm 100 50%

Does that make sense? It seem like it would be easy to do this, but I'm not sure how. How get the search and/or report to do that?

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-19-2010 04:23 AM

In addition to jwestberg's answer, you can also use things like:

... | top limit=0 status by uri_path

or

... | stats count by status,uri_path | eventstats sum(count) as uri_total by uri_path | eval percent=count/uri_total

to get all statuses count and percentages. You can then add a | where status=500 or | where status==500 OR status==200 if you want to be selective about what statuses you're bringing back.

View solution in original post

Reply
Solved! Jump to solution

kdankmyer
Engager
‎06-21-2010 07:30 PM

Combining the two approaches above (thank you both) and experimenting a little, I ended up going with this:

... | stats count by status,uri_path | eventstats sum(count) as total_hits by uri_path | eval percent_errors=(count/total_hits)*100 | where status=500 | fields count, uri_path, percent_errors, total_hits | sort - count

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-19-2010 04:23 AM

In addition to jwestberg's answer, you can also use things like:

... | top limit=0 status by uri_path

or

... | stats count by status,uri_path | eventstats sum(count) as uri_total by uri_path | eval percent=count/uri_total

to get all statuses count and percentages. You can then add a | where status=500 or | where status==500 OR status==200 if you want to be selective about what statuses you're bringing back.

Reply
Solved! Jump to solution

jwestberg
Splunk Employee
Splunk Employee
‎06-18-2010 07:29 PM

There are many different ways of accomplishing this search, but the one I find most intuitive and easily understood is to approach it like this:

... | chart count(eval(status=500)) as internal_errors, count as total_requests by uri_path | eval perc=internal_error/total_requests

Here we use the count function of the chart command first to get counts of the two interesting values.

First, we get the count of all events where status=500 and save that as a new field internal_errors. Second, we count the total number of requests as total_requests. And lastly, we tell Splunk to apply this chart command "by" uri_path (think group by).

Now we just have counts of 500s and the total number of requests, so we add on the eval-command to actually get the percentile of internal_errors in relation to total_requests.

To get the output you are requesting, you can select the interesting fields by use of:

... | fields uri_path, internal_errors, perc
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...