How would I create a Splunk query to show me table of the counts of http status codes per URL? Assuming each event contains a key of URL with a value, and key of http response code. Thanks!
200 401 500
url1 6 1 1
url2 19 2 3
EDIT:
Here's what I've tried so far... index=myindex method="GET" | stats count by url, httpstatus
Which gives me (unexpectedly) one row for each URL and HTTP Status with [URL, httpstatus, count of occurrences of httpstatus]
The by clause of the stats command specifies how you want the results grouped. The fields in that clause will be the first columns of the results table with the remaining columns being the specified functions (count, in this case).
To get the desired output, try the chart command. The over clause specifies the horizontal fields and the by clause the vertical.
index=myindex method="GET"
| chart count over status by URL