Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100?

Filmhooligan
New Member
‎01-24-2017 04:46 PM

I have an alert that checks for a percentage of requests that are 403'ing:

index=myIndex "POST /url1" OR "POST /url2 "
| stats count by statusCode
| eventstats sum(count) as percent 
| eval percent=round(count*100/percent,2) 
| fields percent,statusCode
| search (statusCode="403")
| search percent > 2

I'm hoping to add a condition for when traffic is slow and percentages might be skewed. How can I add a condition for the alert to fire only if the percent is > 2% of all traffic AND the amount of 403's is greater than 100?

Thanks for your help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-24-2017 05:06 PM

How about changing these lines of your query | search (statusCode="403")| search percent > 2 and making them as follows to see if it works for your case:

...| search (statusCode="403" AND count>=100 AND percent > 2)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vinothkumark
Path Finder
‎01-20-2023 05:01 AM

Hi, can you help on the query if multiple condition needs to be met in the same query? 
Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.

0 Karma
Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-24-2017 05:06 PM

How about changing these lines of your query | search (statusCode="403")| search percent > 2 and making them as follows to see if it works for your case:

...| search (statusCode="403" AND count>=100 AND percent > 2)
0 Karma
Reply
Solved! Jump to solution

Filmhooligan
New Member
‎01-24-2017 05:25 PM

Thanks for your help! Unfortunately that did not work. I tuned down my numbers to verify that the search was doing what I wanted, down to count>=1 AND percent>.5 I got "No results found" when running that, but when running my search with just the percent changed to | search percent > 2 I got a result of 0.55%

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-24-2017 09:49 PM

Did you add count in this line of SPL | fields percent,statusCode

Unless you include field count in it to make it | fields count, percent,statusCode you will not be able to search on it in
| search (statusCode="403" AND count>=100 AND percent > 2)

0 Karma
Reply
Solved! Jump to solution

Filmhooligan
New Member
‎01-25-2017 08:56 AM

Oh yeah that makes sense, this works just how I needed it now, thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...