setup alert based on host event count compared with other host

prakashaig — Wed, 30 Sep 2020 04:57:34 GMT

I have 3 webservers which takes the traffic and that is load balanced with least connection based without any sticky sessions, so the traffic will be evenly loaded b/w these servers. looking to create alert if any of the host have less event count comparatively. have the below basic query which will look for specific event on all 3 access logs. we can get alert if there is no event by adding | search eventCount=0 but i need to get alert comparing to other host for example x server has 25 events and other server has 100 events which is above my threshold (75% difference). this will help me trouble shot the LB or may the process is X server is taking longer time to respond or something.

index=x AND (host="x" OR host="y" OR host="z" ) AND source="*access" AND "xyz.com"
| search ResponseCode=200
| inputlookup append=t apache_httpd.csv
| stats count as eventCount by host

apache_httpd.csv is nothing but as below
host
x
y
z

Re: setup alert based on host event count compared with other host

renjith_nair — Thu, 16 Apr 2020 11:16:38 GMT

@prakashaig ,

You might need to find an avg event count (baseline) for the hosts and calculate the percentage of difference based on that.

Try if this works for you

your current search
|eventstats avg(eventCount ) as Avg
|eval percentage=abs(round((eventCount-avg)/avg*100,2))

Alert based on the percentage of deviation

topic Re: setup alert based on host event count compared with other host in Alerting

setup alert based on host event count compared with other host

Re: setup alert based on host event count compared with other host