Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a single alert for all HTTP error codes in events?

allurirohan
Explorer
‎10-30-2015 07:16 AM

Hi,

I would like to create a single alert for all HTTP error codes in events.
Ex: I would like to create an alert for 400,404,500 etc error codes if the count reaches 25 in 5 mins period for 2 error codes and if the count reaches 250 for other error code. Do I need to create an alert for each error code, or is there a way we can include everything in single alert?

Would really appreciate if anyone can help.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-30-2015 10:29 AM

Like this (for a single alert/search):

... (errorCode=400 OR errorCode=404 OR errorCode=500) | bucket _time span=5 | stats count by errorCode _time | where (count<25 AND (errorCode=400 OR errorCode=404)) OR (count<250)
0 Karma
Reply

allurirohan
Explorer
‎10-30-2015 11:06 AM

Thank you for the quick response.
so , what trigger condition we need to select while creating the alert ?

0 Karma
Reply

woodcock
Esteemed Legend
‎10-30-2015 11:10 AM

Where Number of events and is greater than 0.

0 Karma
Reply

allurirohan
Explorer
‎10-30-2015 11:27 AM

Ok.One more question is , Is there a way to include the message in the alert description we which error code has exceeded the threshold?
Ex: we have the alert name as "Httperror alert" - but its just sending an alert with number of events (31).
So , we are not sure which error code exceeded,as we have 2 error codes has same threshold.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-30-2015 07:36 PM

In your "Save as Alert" dialog, in the "Send email" section, there are some options under "Include." Click the "Inline" option (4th one in that section) and leave the little drop-down next to it set to "table".

That will create a little table of the results of the search that triggered the alert, and include it in the email it sends, so you can see the data itself.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-30-2015 12:14 PM

I am not sure what you mean here but perhaps this document will help:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Report/Schedulereports#Use_tokens_in_scheduled_rep...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...