The Challenge
Turn Cryptic Codes into Readable Values
Our first challenge is to associate the standard status code in an Apache web log (such as "404") with its meaning (such as "File Not Found") and its type (such as "Client Error").
| Data Excerpt | Description | Type |
|---|---|---|
| ...ploy" 200 27366 | OK | Successful |
| ...t-ous" 201 54303 | Created | Successful |
| ...t-end" 404 16003 | File Not Found | Client Error |
| ...ntent" 503 14029 | Service Unavailable | Server Error |
Enriching status codes with English-language messages is one of the most common applications of Cribl Stream's Lookup Function.
Easily understood descriptions can improve the clarity of reports and dashboards. Additionally, categorizing events into different types, such as "Successful" and "Client Error," makes it easy to apply other Functions to entire groups of events.
For example, you could index every event of type "Client Error" or "Server Error", while sending (sampling) only one of every five or every 10 "Successful" events. This would enable you to reduce infrastructure and license costs related to systems of analysis, like Elastic, without losing data fidelity.
Let’s walk through this example.