Vipul
Reputation: 610
splunk query to concatenate status code for every hour
index=abc sourcetype=firststream-* env=* module=API type=Error error_level=fatal serviceName=MyService |bin _time span=1h | stats count by _time,serviceName,httpStatusCode
output is displayed for every httpStatuscode in that hour. Instead, I want to concatenate httpStatusCode for that hour and display in a single column.
Upvotes: 0
Views: 1449
Answers (1)
RichG
Reputation: 9926
Try this.
index=abc sourcetype=firststream-* env=* module=API type=Error error_level=fatal serviceName=MyService
| bin _time span=1h
| stats count values(httpStatusCode) as httpStatusCode by _time, serviceName
| table _time, serviceName, httpStatusCode
Upvotes: 0
Related Questions
- Splunk query using append
- Splunk: Split a time period into hourly intervals
- Splunk : extract multiple values from each event
- Splunk - Assigning custom time
- How to get splunk report for different time ranges
- Splunk: combine fields from multiple lines
- Group event counts by hour over time
- Splunk query substract time
- Get the count of above occurrences on an hourly basis using splunk query
- How to combine two queries in Splunk?