topic Re: Help with Stats command and total count of errors in Splunk Enterprise

Help with Stats command and total count of errors

shashank_24 — Fri, 05 Mar 2021 14:59:15 GMT

Hi, I am working an setting up a alert where I need to count if there have been more than 50 count of errors in last 30 minutes.

And if there is then I need to send the alert with those pages and count. Something like below

requested_content	Status	Count
/my-app/1.html	500	20
/my-app/2.html	500	40
		60

Now the alert should only trigger if the sum of these counts > 50 like above. I have written a query but it only gives the count and not the pages which are throwing the error. I want to see the pages too

index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* | stats count by status | where count > 50

Can someone able to advice on this how to achieve this? I want the alert to be triggered and it should output the tabular format with pages and it's count with total count > 50

Re: Help with Stats command and total count of errors

richgalloway — Fri, 05 Mar 2021 15:20:55 GMT

The stats command discards fields it doesn't use so to make them available later in the query they must be mentioned in stats. Try this query.

| makeresults | eval _raw="requested_content Status /my-app/1.html 500 /my-app/2.html 500" | multikv forceheader=1 ```Above just defines test data``` | stats count by requested_content,Status ```Calculate the total count and add it as a field to each result``` | eventstats sum(count) as total ```Show the results only when the total exceeds the limit``` | where total>50 ```Don't show the total field``` | fields - total

Re: Help with Stats command and total count of errors

ITWhisperer — Fri, 05 Mar 2021 15:23:12 GMT

index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* | eventstats count by status | where count > 50

However, this counts 500 and 501 and 502 etc. separately. Is this what you want? If not, and given that you are already filtering on status=50*, just use eventstats count

Re: Help with Stats command and total count of errors

shashank_24 — Fri, 05 Mar 2021 15:29:29 GMT

Thanks @richgalloway. That almost solved my purpose. Just one more thing - So right now my alert trigger condition is like this - I should have mentioned in the question Sorry.

| where (status=500 AND count > 50) OR (status=503 AND count > 30) OR (status=502 AND count > 30)

So is it possible to count the total individually by status and then trigger the alert?

Re: Help with Stats command and total count of errors

richgalloway — Fri, 05 Mar 2021 17:50:57 GMT

Based on the new requirements, you just need the stats command from my answer. Do be careful of cases in field names, though.