Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100?

Filmhooligan
New Member
‎01-24-2017 04:46 PM

I have an alert that checks for a percentage of requests that are 403'ing:

index=myIndex "POST /url1" OR "POST /url2 "
| stats count by statusCode
| eventstats sum(count) as percent 
| eval percent=round(count*100/percent,2) 
| fields percent,statusCode
| search (statusCode="403")
| search percent > 2

I'm hoping to add a condition for when traffic is slow and percentages might be skewed. How can I add a condition for the alert to fire only if the percent is > 2% of all traffic AND the amount of 403's is greater than 100?

Thanks for your help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-24-2017 05:06 PM

How about changing these lines of your query | search (statusCode="403")| search percent > 2 and making them as follows to see if it works for your case:

...| search (statusCode="403" AND count>=100 AND percent > 2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vinothkumark
Path Finder
‎01-20-2023 05:01 AM

Hi, can you help on the query if multiple condition needs to be met in the same query? 
Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.

0 Karma
Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-24-2017 05:06 PM

How about changing these lines of your query | search (statusCode="403")| search percent > 2 and making them as follows to see if it works for your case:

...| search (statusCode="403" AND count>=100 AND percent > 2)
0 Karma
Reply
Solved! Jump to solution

Filmhooligan
New Member
‎01-24-2017 05:25 PM

Thanks for your help! Unfortunately that did not work. I tuned down my numbers to verify that the search was doing what I wanted, down to count>=1 AND percent>.5 I got "No results found" when running that, but when running my search with just the percent changed to | search percent > 2 I got a result of 0.55%

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-24-2017 09:49 PM

Did you add count in this line of SPL | fields percent,statusCode

Unless you include field count in it to make it | fields count, percent,statusCode you will not be able to search on it in
| search (statusCode="403" AND count>=100 AND percent > 2)

0 Karma
Reply
Solved! Jump to solution

Filmhooligan
New Member
‎01-25-2017 08:56 AM

Oh yeah that makes sense, this works just how I needed it now, thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...