Looking to group your Results into Categories?

Follow

Mario Sanchez

• March 14, 2018 19:52
• Edited

Let's say I want to group my Apache status codes into Categories. I could use a query like the one below:

_sourceCategory=Apache/Access 
| timeslice 15m 
| if (status_code matches "20*", 1, 0) as resp_200 
| if (status_code matches "30*", 1, 0) as resp_300 
| if (status_code matches "40*", 1, 0) as resp_400 
| if (status_code matches "50*", 1, 0) as resp_500 
| if (!(status_code matches "20*" or status_code matches "30*" or status_code matches "40*" or status_code matches "50*"), 1, 0) as resp_others 
| count(*), sum(resp_200) as tot_200, sum(resp_300) as tot_300, sum(resp_400) as tot_400, sum(resp_500) as tot_500, sum(resp_others) as tot_others by _timeslice

Adding timeslice allows me to see the trend over time. Enjoy!

0

• 

  Mario Sanchez

  • March 14, 2018 19:55

  This is great, but what if I just want a current snapshot, not a trend over time. Easy peasy!

  _sourceCategory=Labs/Apache/Access
  | if (status_code matches "2*", 1, 0) as success
  | if (status_code matches "3*", 1, 0) as redirects
  | if (status_code matches "4*", 1, 0) as client_error
  | if (status_code matches "5*", 1, 0) as server_error
  | sum(success) as Success, sum(client_error) as client_Error, sum(server_error) as server_Error, sum(redirects) as Redirects

   

  But, if I plan to chart this in a Pie chart, then I better show my results in one same column. In that case, I can follow this example:

  _sourceCategory=Labs/Apache/Access
  | count by status_code
  | if (status_code matches "2*", "success", status_code) as status
  | if (status_code matches "3*", "redirects", status) as status
  | if (status_code matches "4*","client_error" , status) as status
  | if (status_code matches "5*", "server_error", status) as status
  | sum(_count) by status

   

  Enjoy!

  0

  Comment actions Permalink

Please sign in to leave a comment.