topic Re: stats count not working in Splunk Search

stats count not working

dbashyam — Thu, 21 Mar 2019 11:28:53 GMT

Hi, I am trying to get a table type of alerting but I am not getting the output

 index = ops host = Sr*xxxx* sourcetype=iislogs (HttpStatusCode =400 OR  HttpStatusCode = 401 OR HttpStatusCode = 403 OR HttpStatusCode = 404 OR HttpStatusCode = 405) AND (*loadbalancer* OR *gateway* OR *IFT* OR *widget* ) NOT ( *.png OR *.gif OR *.css OR *fonts* OR *.txt OR *.gif OR *.ico OR *.jpg OR *.pdf OR *.exe OR *.cgi OR *.swf OR *.vmd OR *.xsl OR *.xml OR *qualy* OR *woff* OR *.bak OR *.png OR *.svg OR *.ttf OR *.ini OR *.temp OR *.data OR *.tar OR *curl* OR *.po OR *.mo OR *.tpl OR *.tmpl OR *script*) | bin _time span=5m |stats count as avg_count by _time | where avg_count > 4 | eval alert="'splunk:".host.";crit;welcome to splunk  Error ".host.";Process;rr_os;mmtt;tt_3'" | table alert

I am expecting a table form but I don't get anything. Could you please help.

Thanks,
Dinesh

Re: stats count not working

nickhills — Thu, 21 Mar 2019 11:42:59 GMT

after you run stats count as avg_count by _time there is no longer a field called 'host'

You can resolve this by using by _time, host instead.

index=ops host=Sr*xxxx* sourcetype=iislogs (HttpStatusCode=400 OR HttpStatusCode=401 OR HttpStatusCode=403 OR HttpStatusCode=404 OR HttpStatusCode=405) AND (*loadbalancer* OR *gateway* OR *IFT* OR *widget* ) NOT ( *.png OR *.gif OR *.css OR *fonts* OR *.txt OR *.gif OR *.ico OR *.jpg OR *.pdf OR *.exe OR *.cgi OR *.swf OR *.vmd OR *.xsl OR *.xml OR *qualy* OR *woff* OR *.bak OR *.png OR *.svg OR *.ttf OR *.ini OR *.temp OR *.data OR *.tar OR *curl* OR *.po OR *.mo OR *.tpl OR *.tmpl OR *script*) 
| bin _time span=5m 
| stats count as avg_count by _time, host
| where avg_count > 4 
| eval alert="'splunk:".host.";crit;welcome to splunk  Error ".host.";Process;rr_os;mmtt;tt_3'" 
| table alert

Re: stats count not working

dbashyam — Mon, 25 Mar 2019 22:57:20 GMT

yes that worked @nickhillscpl