https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/561495#M15440 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225644">@Pathik</a>&nbsp;Can you try this.</P><LI-CODE lang="markup">&lt;your_search&gt; status!=200 OR status!=400 OR status!=401 OR status!=403 | stats count by status | addcoltotals count | eventstats max(count) as total | eval perc=count/total * 100 | where perc &gt; 5 AND isnotnull(status) | fields - total</LI-CODE> Fri, 30 Jul 2021 06:00:56 GMT venkatasri 2021-07-30T06:00:56Z https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/561494#M15439 <P>After searching various posts around HTTP status codes, ended up posting new question <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> <P>I would like to create alert if failures are 5% of total traffic.&nbsp;</P> <P>My criteria of failure is anything that doesn't match HTTP status code 200, 400, 401, 403</P> <P>&nbsp;</P> <P>Thanks in advance</P> <P>Pathik</P> Fri, 20 Jan 2023 15:53:38 GMT https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/561494#M15439 Pathik 2023-01-20T15:53:38Z https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/561495#M15440 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225644">@Pathik</a>&nbsp;Can you try this.</P><LI-CODE lang="markup">&lt;your_search&gt; status!=200 OR status!=400 OR status!=401 OR status!=403 | stats count by status | addcoltotals count | eventstats max(count) as total | eval perc=count/total * 100 | where perc &gt; 5 AND isnotnull(status) | fields - total</LI-CODE> Fri, 30 Jul 2021 06:00:56 GMT https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/561495#M15440 venkatasri 2021-07-30T06:00:56Z https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/561920#M15447 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163730">@venkatasri</a>&nbsp;,</P><P>Its not working, applied what you shared. but getting only bad requests. (success count not coming in output at all it seems)</P><P>&nbsp;</P><P>Any other things to change?</P> Tue, 03 Aug 2021 16:07:17 GMT https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/561920#M15447 Pathik 2021-08-03T16:07:17Z https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/561923#M15448 <LI-CODE lang="markup">&lt;your search&gt; | eval fail=if(status IN (200,400,401,403),0,1) | stats count as total sum(fail) as fails | eval percent=100*fails/total | where percent&gt;5</LI-CODE> Tue, 03 Aug 2021 16:17:44 GMT https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/561923#M15448 ITWhisperer 2021-08-03T16:17:44Z https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/562529#M15454 <P>Works like a charm&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, thanks a ton</P> Mon, 09 Aug 2021 05:12:23 GMT https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/562529#M15454 Pathik 2021-08-09T05:12:23Z https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/627744#M16541 <P>Hi, can you help on the query if multiple condition needs to be met in the same query?&nbsp;<BR />Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.</P> Fri, 20 Jan 2023 13:00:59 GMT https://community.splunk.com/t5/Security/How-create-Splunk-alert-based-on-HTTP-status-codes/m-p/627744#M16541 vinothkumark 2023-01-20T13:00:59Z