Need a table to show the top 5 URL as given below in Splunk. Is this possible in Splunk? I tried many ways but I can't get all status of a URL as a single row.
API 200 204 400 401 499 500
/wodetails/ACP 895(50%) - - - - 1
This is a case where the chart command can be used:
index="main" source="access.log" sourcetype="access_combined"
| chart c(status) by uri, status
| uri | 200 | 204 | 400 | 499 |
|---|---|---|---|---|
| /basic/status | 11 | 1 | 1 | 1 |
| /search/results | 3 | 0 | 0 | 0 |
To add the percentages, you can use eventstats
index="main" source="access.log" sourcetype="access_combined"
| eventstats count as "totalCount" by uri
| eventstats count as "codecount" by uri, status
| eval percent=round((codecount/totalCount)*100)
| eval cell=codecount." (".percent."%)"
| chart values(cell) by uri,status
| uri | 200 | 204 | 400 | 499 |
|---|---|---|---|---|
| /basic/status | 11 (79%) | 1 (7%) | 1 (7%) | 1 (7%) |
| /search/results | 3 (100%) |