Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to alert when http status=404 is over 5 percent of total traffic?

gingersoftware
New Member
‎07-17-2018 01:50 AM

Hi,

How to alert when http status=404 is over 5 percent of total traffic ?

This is the simple search query I use. Need your help to add the correct condition for the alert.

tag=NginxLogs  host=www* status=404

Thanks for your help.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-17-2018 03:57 AM

Try this

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ralam
Explorer
‎07-17-2018 04:41 AM

you can also achieve it using below query:

tag=NginxLogs host=www* status=404

| stats count by status
| eval total=[search tag=NginxLogs host=www* | stats count(src) as total | eval total="\"".total."\""| return $total]
| eval percent=round((count/total)*100,2)
| where percent>5

In my environment, this query ran faster.

you can be more efficient if you mention index=xyz in your query. (in our case we did)

0 Karma
Reply
Solved! Jump to solution

gingersoftware
New Member
‎07-18-2018 05:07 AM

Thank You!

Can you explain where do I add it in order for that to be an Alert?

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-17-2018 03:57 AM

Try this

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

gingersoftware
New Member
‎07-17-2018 04:30 AM

Thank you very much

0 Karma
Reply
Solved! Jump to solution

gingersoftware
New Member
‎07-18-2018 05:25 AM

Can you explain where do I add it in order for that to be an Alert?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...