topic Re: Custom Condition Search for Alert for HTTP status code report in Splunk Search

Custom Condition Search for Alert for HTTP status code report

DavidGuarneri — Mon, 28 Sep 2020 14:45:51 GMT

I have the following search in an alert that triggers every 15 minutes:

source="C:\logs\path\*.log" | chart count over http_status_code

http_status_code is a custom field. The search works well, and gives the nicely formatted output below via html-formatted email:

http_status_code count
200 432
400 3
401 4

I don't want to change the output of this report. It's perfect the way it is. I only want to set the condition to only send a notification if 400 gives a count of 1 or more.

I've searched for some time "splunk custom condition" for an answer on this, but the question is usually extremely complicated, and often the answer requires that the output of the report be changed. I've also searched the documentation. (So please no links with vague hints, I've seen them all).

I've tried the following, but the syntax does not appear to be correct. I think it should be a fairly simple deal, but apparently not. Help is appreciated.

http_status_code=400 | search eventcount>=1

Re: Custom Condition Search for Alert for HTTP status code report

linu1988 — Thu, 12 Sep 2013 17:49:40 GMT

Hi David,

You can use this

source="C:\logs\path\*.log" http_status_code=400|  where count > 0

I presume count is a field. A real-time alert or a scheduled alert will do the job.

Or you have to do the below.

source="C:\logs\path\*.log" http_status_code=400|  Stats Count(http_status_code) as Error_Count|where Error_Count > 0

Re: Custom Condition Search for Alert for HTTP status code report

DavidGuarneri — Thu, 12 Sep 2013 18:16:15 GMT

Thanks for the response. I already had what you show in your first example as a separate alert. For this report, can I use this search in the custom condition search field? I don't want to change the format of the report. Thanks.

Re: Custom Condition Search for Alert for HTTP status code report

DavidGuarneri — Thu, 12 Sep 2013 18:22:48 GMT

I tried putting that in the custom condition field. I get the following error: "Encountered the following error while trying to update: In handler 'savedsearch': Cannot parse alert condition. Unknown search command 'source'."

Re: Custom Condition Search for Alert for HTTP status code report

zeroactive — Mon, 28 Sep 2020 14:45:57 GMT

Define your base search just as you have:

source="C:\logs\path*.log" | chart count over http_status_code

Create an Advanced Conditional Alert to "Trigger if" field value of "Custom condition is met" and enter the follow for the condition text:

search http_status_code=401 | search count >= 1

I think that should work, but you might have to tweak it a bit.

Re: Custom Condition Search for Alert for HTTP status code report

DavidGuarneri — Thu, 12 Sep 2013 19:12:06 GMT

That looks closer to what I'm trying to do. I will try it, thank you!

Re: Custom Condition Search for Alert for HTTP status code report

linu1988 — Mon, 28 Sep 2020 14:46:00 GMT

Why do you need a custom condition?

111011source="C:\logs\path*.log" http_status_code=400| Stats Count(Http_status_code) as Error_Count|where Error_Count > 0|Table Http_status_code,Error_Count

will give you the alert. The above is the original search. Then you can go results > 0.

And if you really want to give the custom condition you can give count >= 1

Re: Custom Condition Search for Alert for HTTP status code report

DavidGuarneri — Sat, 14 Sep 2013 13:52:49 GMT

The above didn't give any results. It gives results only if I type up to "as Error_Count"; however, it only shows the count of 400 errors.

I need a custom condition because the chart gives a larger data set than the condition that should fire the alert.

The requirements are to fire one simple alert the minute a 400 error appears for a certain application. After that, a quarter hour report of ALL http status codes broken down by application should fire. I've made both reports successfully, I just need the quarter hour report to fire only when that one application gets a 400 error.

Re: Custom Condition Search for Alert for HTTP status code report

DavidGuarneri — Sat, 14 Sep 2013 14:06:30 GMT

Unfortunately, the alert of all status codes did not fire after a test log entry was created 😞 . A simpler alert that only reports the count of 400 errors did fire, however. By the way, the 401 is a typo on my part, which I corrected. Should be 400.

Re: Custom Condition Search for Alert for HTTP status code report

DavidGuarneri — Sat, 14 Sep 2013 14:10:43 GMT

I've already created the simple 400 error real time alert. That one works. As far as the quarter hour report, I've thought of some workarounds, including having the first alert trigger the second one by using a script that changes a file with a flag. This seems very roundabout, however. There has to be a way to get the quarter hour report to fire only when the required conditions exist.