Group HTTP Methods and Count Status Codes

Analyze HTTP traffic patterns using nested groupBy() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} result{{Result Set}} repo --> 1 1 --> result
logscale
groupBy(method, function=[count(as=method_total),
        groupBy(statuscode, function=count(as=method_status_count))])

Introduction

The groupBy() function can be used to group events by one or more fields and perform aggregate functions on each group. When nested, it enables multi-level analysis of data relationships.

In this example, the groupBy() function is used to analyze HTTP traffic patterns by grouping requests first by HTTP method and then by status code, providing counts at both levels.

Example incoming data might look like this:

@timestampmethodstatuscodepathbytes
2025-08-06T10:00:00ZGET200/index.html1024
2025-08-06T10:00:01ZPOST201/api/users512
2025-08-06T10:00:02ZGET404/missing.html256
2025-08-06T10:00:03ZGET200/about.html768
2025-08-06T10:00:04ZPOST400/api/users128
2025-08-06T10:00:05ZPUT200/api/users/1896
2025-08-06T10:00:06ZGET200/contact.html645
2025-08-06T10:00:07ZPOST201/api/orders789
2025-08-06T10:00:08ZGET404/old-page.html234
2025-08-06T10:00:09ZDELETE204/api/users/20

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    groupBy(method, function=[count(as=method_total),
        groupBy(statuscode, function=count(as=method_status_count))])

    Groups events first by the method field and performs two functions:

    • Counts the total number of events for each HTTP method using count() and returns the result in a new field named method_total.

    • Creates a nested grouping by statuscode within each method group, counting occurrences using count() and returns the result in a new field named method_status_count.

  3. Event Result set.

Summary and Results

The query is used to analyze HTTP traffic patterns by providing a hierarchical view of request methods and their associated status codes.

This query is useful, for example, to identify patterns in API usage, detect potential issues with specific HTTP methods, or monitor the distribution of success and error responses across different request types.

Sample output from the incoming example data:

methodmethod_totalstatuscodemethod_status_count
GET52003
GET54042
POST32012
POST34001
PUT12001
DELETE12041

Note that the output shows both the total count per method (method_total) and the breakdown of status codes (method_status_count) within each method, providing a comprehensive view of the HTTP traffic distribution.

This data would be effectively visualized using a Sankey diagram widget to show the flow from HTTP methods to status codes, or a nested pie chart to display the distribution.