topic Re: How to setup alert on multiple rows in Alerting

How to setup alert on multiple rows

cgiatras — Wed, 19 Dec 2012 16:22:51 GMT

So I setup this search on an apache web log:

sourcetype="access_common" status=* | top status limit="1000"

Results are:

status count percent
200 250935 96.938500
302 3279 1.266708
404 1667 0.643977
500 1322 0.510701
401 819 0.316387
301 325 0.125550
400 261 0.100827
502 197 0.076103
206 43 0.016611
403 12 0.004636

Now I want to setup an alert that when the Percent Total for 2* and 3* percent falls below 95%. I will like this full report sent in the alert so not sure how to go about doing so. I know I can do :

sourcetype="access_common" status=* | top status limit="1000" | where status=2* OR status=3* but again I would like the above report in FULL when receiving the alert.

Thank you

Re: How to setup alert on multiple rows

jonuwz — Wed, 19 Dec 2012 22:20:59 GMT

You'll need to sum up the percentage of 'good' requests in a custom condition
i.e.

If your base search is

index=_internal source=*web_access.log | top status limit=1000

Then you can do a custom condition of

appendpipe [ | stats sum(eval(if(match(status,"^[23]"),percent,0))) as percent | eval status="good"] | where status=="good" AND percent < 95

This adds another line to the results with a status of 'good' and a percent of the sum of all the 2* and 3* statuses, then if that percent is < 95, the alert triggers

Make sure to tick the box for 'Include results in email' and that the alert mode is 'once per search'

Update

If you find the goob / bad breakdown useful and want to include it in your report here's an alternative.

The main search becomes :

index=_internal source=*web_access.log 
| top status limit=1000     
| eval type=case(match(status,"^[23]"),"good",match(status,"^[45]"),"bad",1==1,"unknown")
| appendpipe [ stats sum(count) as count sum(percent) as percent by type 
               | rename type as status ] 
| fields - type

and the custom condition in the alert simply becomes :

where status=="good" AND percent < 95

Re: How to setup alert on multiple rows

cgiatras — Thu, 27 Dec 2012 15:05:02 GMT

Thanks Jonuwz . Will try this later today and let you know how it worked!

Re: How to setup alert on multiple rows

cgiatras — Thu, 27 Dec 2012 17:10:41 GMT

And what if I wanted to also get the total "good" and total "bad" in the report itself? So far its working great though it seems, just want to let it soak in for a few hours.

Re: How to setup alert on multiple rows

cgiatras — Thu, 27 Dec 2012 17:39:39 GMT

I came up with this:

Re: How to setup alert on multiple rows

jonuwz — Thu, 27 Dec 2012 18:44:24 GMT

updated with sample code for the good / bad stats in the report

Re: How to setup alert on multiple rows

cgiatras — Fri, 28 Dec 2012 14:56:59 GMT

Thanks Jonuwz that looks great!