How to create Splunk single alert for multiple htt...

vinothkumark · ‎01-23-2023

I have a field which contains http status code. I want to create a single alert query with multiple conditions.

Example:
condition1) status code is 500 and greater than 10% alert should be triggered.
Condition 2) status code is 403 and greater than 20% alert should be triggered.
Condition 3) status code is 503 and greater than 20% alert should be triggered.

Also, Is it possible to have different time range for the above condition? like condition 1 and condition 2 should search for last 15 minutes, whereas condition 3 should search for last 30 mins.

How do I form the query?

gcusello · ‎01-23-2023

Hi @vinothkumark ,

the condition on status codes and percentages is easy:

<your_search> status_code IN("500","403","503")
| stats
   count(eval(if(status_code="500",1,0))) AS 500_count
   count(eval(if(status_code="403",1,0))) AS 403_count
   count(eval(if(status_code="503",1,0))) AS 503_count
   count
| where 500_count/count>=0.1 OR 403_count/count>=0.2 OR 503_count/count>=0.2

the time condition can be easily added running two alerts or using a more complicated main search:

<your_search> ((status_code IN ("500","403") earliest=-15m) OR (status_code="503" earliest=-30m))
| stats
   count(eval(if(status_code="500",1,0))) AS 500_count
   count(eval(if(status_code="403",1,0))) AS 403_count
   count(eval(if(status_code="503",1,0))) AS 503_count
   count
| where 500_count/count>=0.1 OR 403_count/count>=0.2 OR 503_count/count>=0.2

Ciao.

Giuseppe

vinothkumark · ‎01-24-2023

It shows error in where command

gcusello · ‎01-24-2023

Hi @vinothkumark,

it should correctly run, please debug it using one by one the conditions.

Ciao.

Giuseppe

How to create Splunk single alert for multiple http status code?

alert condition

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life