Filter events in a time frame by a condition

RemyaT · ‎11-12-2023

I have the query to find the response code and count vs time (in 1 minute time interval) as below.

index=sample_index path=*/sample_path* 
	| bucket _time span=1m 
	| stats count by _time responseCode

The result shows the response code and count vs time for each minute. But I just need the events in those 1 minutes which have 403 response code along with other response codes and skip which doesn't have 403.

Suppose during time1, if there are only events with response code 200, I don't need that in my result. But during time2, if there are events with response code 200 and 403, I need that in the result as time, response code, count.

ITWhisperer · ‎11-12-2023

index=sample_index path=*/sample_path* responseCode=200 OR responseCode=403
| timechart span=1m count by responseCode
| where '403' > 0

gcusello · ‎11-12-2023

Hi @RemyaT,

let me understand: do you want to count only events with response_code=403 or cout of all response_codes when there's at least one 403?

If the first, you can try:

index=sample_index path=*/sample_path* response_code=403
| timechart span=1m count

if the second

index=sample_index path=*/sample_path* 
| bucket _time span=1m 
| stats 
   count(eval(response_code="200")) AS 200_count 
   count(eval(response_code="403")) AS 403_count 
   BY _time
| where 403_count >0

Ciao.

Giuseppe

Filter events in a time frame by a condition

count

stats

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...