splunk query to concatenate status code for every hour

Question

index=abc sourcetype=firststream-* env=* module=API type=Error error_level=fatal serviceName=MyService |bin _time span=1h | stats count by _time,serviceName,httpStatusCode

output is displayed for every httpStatuscode in that hour. Instead, I want to concatenate httpStatusCode for that hour and display in a single column.

Please explain what you mean by " concatenate httpStatusCode". Show a mockup output. — RichG, Mar 18 '20 at 21:12
Time span by an hour : 12:00 , serviceName:MyService, httpStatusCode: 403 - 500- 503 , count: 200. Instead of service name displaying 3 times for each status code, display service name in single row with codes concatenate in single column . — Vipul, Mar 18 '20 at 21:16

score 0 · Accepted Answer · answered Mar 19 '20 at 00:29

Try this.

index=abc sourcetype=firststream-* env=* module=API type=Error error_level=fatal serviceName=MyService 
| bin _time span=1h 
| stats count values(httpStatusCode) as httpStatusCode by _time, serviceName
| table _time, serviceName, httpStatusCode

splunk query to concatenate status code for every hour

1 Answers1