Skip to main content

Summarizing Data - Advanced

From this view we can see that we get way too many non-200 status codes (at least for my liking). What would be helpful is the ability to count the status codes by category and by host server.

HTTP Codes

The first digit of HTTP status codes indicates the category of status:

  • 1xx (Informational Responses)
  • 2xx (Success)
  • 3xx (Redirection)
  • 4xx (Client Errors)
  • 5xx (Server Errors)

We are really going to see summarize shine now.

Get your shine on
  1. Delete count() by status.
  2. Add info=countif(status<200)

This incorporates several techniques that we've discussed all in a single countif Function. We have, however, added a new mechanism which is: assigning a name to a value. In this case we are assigning the name info to the value of countif(status<200). The result will be a new field called info that will have the total number of events that include a status code in the 1xx range. Pretty neat huh? Let's continue defining our ranges.

Define Ranges

  1. After info=countif(status<200) add

    , success=countif(status>=200 and status<300), fail=countif(status>=300 and status<500), epic_fail=countif(status>=500)

    The full search should be:

    dataset="cribl_search_sample" dataSource="access_combined" | summarize info=countif(status<200), success=countif(status>=200 and status<300), fail=countif(status>=300 and status<500), epic_fail=countif(status>=500)

  2. Click Search.

    Charts Read Minds

    The charts will choose the format that is generally most suitable for the data being represented but can be set manually as well. The chart here should be a bar chart, if not.

    1. Click the Format icon brush-icon at the top right of the chart.
    2. Under Type, select Column.
    tip

    You could also select Horizontal Bar if that suits your fancy.

Woooo! Look at that beautiful chart! Well, kinda. This chart is showing that there are far more fails and epic fails than should probably ever be seen. Let's find out if this is localized to a single server.

Summarize by host
  1. Add by host. The search should be: 
    dataset="cribl_search_sample" dataSource="access_combined" | summarize info=countif(status<200), success=countif(status>=200 and status<300), fail=countif(status>=300 and status<500), epic_fail=countif(status>=500) by host
  2. Click Search.
  3. If necessary, change the chart back to a Column via the format icon brush-icon.

And there you have it! Fails across the board (cue the facepalm emoji). Oh wait, here: 🤦