Hi,
I'd like to count the number of responses by the following status codes: 2xx, 4xx and 5xx.
I'm basically counting the number of 2xx, 4xx and 5xx statuses for each API that is read line by line from a CSV file.
The only problem that I'm struggling with is I can't figure out how to sum and group the number of counted 2xx and 4xx status codes under a common label named: non5xx that refers to non-server error status codes and then display it in a pie/column/bar chart.
So far, I've come up with the follwing query, but it fails to meet my expectations:
[| inputlookup api_names_file.csv | rename AppName to app_name | table app_name] | chart count(eval(like(status, "2%"))) AS successResponses, count(eval(like(status, "4%"))) as clientErrorResponses, count(eval(like(status, "5%"))) AS 5xx BY app_name | eval total = (successResponses + clientErrorResponses) | eventstats sum(total) AS non5xx by app_name | fields non5xx, 5xx
Eventually, I'd like to end up with the following chart:
![alt text][1]
- The **non5xx** group would refer to the sum of counted 2xx and 4xx statuses grouped together.
- The **5xx** group picture the number of 5xx server error responses.
Is is possible to group the counted 2xx and 4xx status codes under a common label, just like on the aforementioned pie chart?
Of course, it may an arbitrary type of chart including the column, and bar ones as well.
Thank you in advance
[1]: /storage/temp/218798-splunk-chart.png
↧