Issue with URL monitoring over the website monitoring app


We have a few URLs being monitored by a splunk alert(query pasted below for reference) by making use of the "Website Monitoring" add on.
It has however been observed, that a few URLS randomly generate a non 200 HTTP status codes that automatically get resolved in the next iteration.
We've therefore been asked to implement a logic wherein an alert should only be raised if a URL fails two times consecutively.


index=urlperf sourcetype="web_ping"
[| inputlookup URL_Title.csv]
| stats latest(response_code) as response_code latest(_time) as _time by url
| where response_code>=300
| eval Status="Down",Timestamp=strftime(_time,"%d/%m/%Y %H:%M:%S")
| rename response_code as "HTTP Response Code" url as URL
| table Timestamp,URL,"HTTP Response Code", Status
| dedup URL

An an example : Considering URL being monitored is "" with frequency as 5 mins ,
the stake holders want an alert to be raised only for "case 2" and NOT for "case1" .
Could some one please help, on how could we accomplish this through a splunk alert.

case 1 :08:00 hrs url= response_code=404 timed_out=False

              08:05 hrs url= response_code=200 timed_out=False

case 2 :08:00 hrs url= response_code=504 timed_out=False

               08:05 hrs url= response_code=401 timed_out=False

Thank you in advance !

Labels (3)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!