Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to alert when http status=404 is over 5 percent of total traffic?

gingersoftware
New Member
‎07-17-2018 01:50 AM

Hi,

How to alert when http status=404 is over 5 percent of total traffic ?

This is the simple search query I use. Need your help to add the correct condition for the alert.

tag=NginxLogs  host=www* status=404

Thanks for your help.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-17-2018 03:57 AM

Try this

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ralam
Explorer
‎07-17-2018 04:41 AM

you can also achieve it using below query:

tag=NginxLogs host=www* status=404

| stats count by status
| eval total=[search tag=NginxLogs host=www* | stats count(src) as total | eval total="\"".total."\""| return $total]
| eval percent=round((count/total)*100,2)
| where percent>5

In my environment, this query ran faster.

you can be more efficient if you mention index=xyz in your query. (in our case we did)

0 Karma
Reply
Solved! Jump to solution

gingersoftware
New Member
‎07-18-2018 05:07 AM

Thank You!

Can you explain where do I add it in order for that to be an Alert?

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-17-2018 03:57 AM

Try this

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

gingersoftware
New Member
‎07-17-2018 04:30 AM

Thank you very much

0 Karma
Reply
Solved! Jump to solution

gingersoftware
New Member
‎07-18-2018 05:25 AM

Can you explain where do I add it in order for that to be an Alert?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...