https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512622#M143786 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;. Appreciated.</P><P>Regards,</P><P>DD</P> Wed, 05 Aug 2020 17:23:10 GMT dpdwibedy 2020-08-05T17:23:10Z https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512610#M143780 <P>Hi There,</P><P>Need help to find the&nbsp; status code error rate&nbsp; where&nbsp; status code is &gt;400.</P><P>I have below Query to time chart the error rate&nbsp; , which works fine...</P><DIV class="shared-alertcontrols-details">index=apache_core &nbsp;userAgent!="nginx/*" source="*access.log*" &nbsp;requestURI!="/web/app*" NOT (requestURI="/api/xyz/*" &nbsp;OR requestURI="/api/yyy/*" &nbsp;AND statusCode=404) <SPAN>earliest=-30m latest=now&nbsp;</SPAN>| timechart span=5m limit=0 eval((count(eval(statusCode&gt;=400)) / count()) * 100) as ErrorRate</DIV><DIV class="shared-alertcontrols-details">&nbsp;</DIV><DIV class="shared-alertcontrols-details">But , to&nbsp; create an alert , I don't want the time chart&nbsp; , just the&nbsp; error rate&nbsp; in last 30 mins.</DIV><DIV class="shared-alertcontrols-details">&nbsp;</DIV><DIV class="shared-alertcontrols-details">the stats count with the eval statement doesn't work.</DIV><DIV class="shared-alertcontrols-details">&nbsp;</DIV><DIV class="shared-alertcontrols-details">Thanks,</DIV><DIV class="shared-alertcontrols-details">DD</DIV><P>&nbsp;</P> Wed, 05 Aug 2020 15:56:06 GMT https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512610#M143780 dpdwibedy 2020-08-05T15:56:06Z https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512618#M143783 <P>For an alert, replace <FONT face="courier new,courier">timechart</FONT> with <FONT face="courier new,courier">stats</FONT> and <FONT face="courier new,courier">eval</FONT>.</P><LI-CODE lang="markup">index=apache_core userAgent!="nginx/*" source="*access.log*" requestURI!="/web/app*" NOT (requestURI="/api/xyz/*" OR requestURI="/api/yyy/*" AND statusCode=404) earliest=-30m latest=now | stats count(eval(statusCode&gt;=400)) as errors, count as total | eval ErrorRate = errors * 100 / total</LI-CODE><P>&nbsp;</P> Wed, 05 Aug 2020 16:42:06 GMT https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512618#M143783 richgalloway 2020-08-05T16:42:06Z https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512620#M143784 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; ,</P><P>Thanks! for&nbsp; the reply . It works , but I want only "ErrorRate" to be displayed.</P><P>Right now , it displays like this.</P><LI-CODE lang="markup">errors total ErrorRate 19056 679878 2.8028558064829276</LI-CODE><P>&nbsp;</P> Wed, 05 Aug 2020 16:50:09 GMT https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512620#M143784 dpdwibedy 2020-08-05T16:50:09Z https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512621#M143785 <P>Add <FONT face="courier new,courier">| fields ErrorRate</FONT> to the end of the query.</P> Wed, 05 Aug 2020 17:11:25 GMT https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512621#M143785 richgalloway 2020-08-05T17:11:25Z https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512622#M143786 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;. Appreciated.</P><P>Regards,</P><P>DD</P> Wed, 05 Aug 2020 17:23:10 GMT https://community.splunk.com/t5/Splunk-Search/Stats-StatusCode-error-Rate/m-p/512622#M143786 dpdwibedy 2020-08-05T17:23:10Z