Thanks for the advice! With what you provided and Splunk Documentation I was able to get the following search to work:
index=apigee host="mock" "apiproxy.name"=GetQuoteServices_v1_Manual error.status.code IN (400, 401, 402, 403, 404) | top limit=0 error.status.code showperc=f
The issue is when trying to combine it with the almost the exact same search to get the 200 responses does not seem to work. The 200 responses are under a different interesting field so this is where it gets hairy. I attempted the following with no luck:
multisearch [search index=apigee host="mock" "apiproxy.name"=GetQuoteServices_v1_Manual error.status.code IN (400, 401, 403, 404, 500, 502, 503, 504)] | eval type="error_search" [search index=apigee host="mock" "apiproxy.name"=GetQuoteServices_v1_Manual response.status.code IN (200, 201, 202, 203)] | eval type="success_search"
I am assuming there is some sort of operator to use so the search is aware to run both searches but as of this point I have not had much luck. Any thoughts?
... View more