splunk

Splunk queries 

index=prd1* "Started in" | eval productcode=substr(host,8,3) | eval Swimlane=substr(host,7,1) | eval Service=substr(host,11,2) | rex field=_raw "Started in (?<StartedInTime>.*)" | table _time, source, host, Swimlane, productcode, Service, StartedInTime

index=prd1* source="*acc*" host="*pprd1*"  | rex ".*(GET|POST) (?<REQUEST_URL>[^ ?;]*).* HTTP[^ ]+ (?<RESPONSE_CODE>[0-9]+) (?<RESPONSE_BYTES>[^ ]+) (?<DIID>[^- ]*) (?<RESPONSE_TIME>[0-9]+)" | search REQUEST_URL="/blah/app/home" OR REQUEST_URL="/blah/app/redirectInitialLogin" | eval Swimlane=substr(host,7,1) | eval TimeField=strftime(_time, "%H:%M") | eval FAIL= if(RESPONSE_TIME>=30000 OR RESPONSE_CODE=500 OR RESPONSE_CODE=503,1,0) | stats sum(FAIL) as FailedLogin count(REQUEST_URL) as Total by TimeField | eval Failure%=100*FailedLogin/Total

earliest="05/06/2015:11:25:00" latest="05/06/2015:11:54:00"