https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657673#M227151 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234071">@mohsplunking</a>&nbsp;</P><LI-CODE lang="markup">index=your_source_index status&gt;=400 status&lt;600 | stats count by ip | where count&gt;100</LI-CODE><P>or you can do&nbsp;</P><LI-CODE lang="markup">index=your_source_index status&gt;=400 status&lt;600 | top ip | where count &gt; 100</LI-CODE><P>but I would prefer stats over top</P><P>&nbsp;</P> Fri, 15 Sep 2023 00:12:08 GMT bowesmana 2023-09-15T00:12:08Z https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657502#M227105 <P>Hello Splunkers,</P> <P>Can someone help me with a query to detect multiple http errors from single IP , basically when the status code is in 400s/500s.</P> <P>Thank you,</P> <P>regards,</P> <P>Moh</P> Thu, 14 Sep 2023 20:08:57 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657502#M227105 mohsplunking 2023-09-14T20:08:57Z https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657504#M227106 <P>Basic query is something like this, but will depend on your fields</P><LI-CODE lang="markup">index=your_source_index status&gt;=400 status&lt;600 | stats count by ip status</LI-CODE><P>You will then get a table of ip+status+count</P><P>you can do whatever you want to do with that - what's your goal?</P><P>&nbsp;</P> Wed, 13 Sep 2023 23:16:03 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657504#M227106 bowesmana 2023-09-13T23:16:03Z https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657556#M227124 <P>Thanks for your response, the goal is to list the IP's that is causing maximum http errors. Lets say where errors are &gt;100.</P> Thu, 14 Sep 2023 08:02:33 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657556#M227124 mohsplunking 2023-09-14T08:02:33Z https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657557#M227125 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234071">@mohsplunking</a>,</P><P>if you need the total count of errors, the solution from&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;is perfect.</P><P>let us know if we can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 14 Sep 2023 08:26:40 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657557#M227125 gcusello 2023-09-14T08:26:40Z https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657559#M227126 <P>Hello gcusello,</P><P>Thanks for your inputs, However, like&nbsp; I said the use case is I'm looking for IP that is causing maximum number of http errors(400s,500s) , lets say I'm trying to find a single IP that is causing&nbsp; over 100 http errors . I think in the query we will have to use eval&amp;case functions too.</P><P>Please let me know if you need further clarifications on the above.</P><P>Moh.</P> Thu, 14 Sep 2023 08:35:09 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657559#M227126 mohsplunking 2023-09-14T08:35:09Z https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657673#M227151 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234071">@mohsplunking</a>&nbsp;</P><LI-CODE lang="markup">index=your_source_index status&gt;=400 status&lt;600 | stats count by ip | where count&gt;100</LI-CODE><P>or you can do&nbsp;</P><LI-CODE lang="markup">index=your_source_index status&gt;=400 status&lt;600 | top ip | where count &gt; 100</LI-CODE><P>but I would prefer stats over top</P><P>&nbsp;</P> Fri, 15 Sep 2023 00:12:08 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657673#M227151 bowesmana 2023-09-15T00:12:08Z https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657684#M227155 <P>i&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234071">@mohsplunking</a>&nbsp;,</P><P>if you ne only an alert, as I said, the solution from&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;is perferct and you don't need any additional command.</P><P>the eval/case&nbsp; could be useful if you need to display some additional information e.g. a level of alert quantity.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 15 Sep 2023 06:02:54 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-basic-search-for-detecting-Multiple-HTTP-errors-from/m-p/657684#M227155 gcusello 2023-09-15T06:02:54Z