Alerting

Issue with URL monitoring over the website monitoring app

jackin
Path Finder

Hello,
We have a few URLs being monitored by a splunk alert(query pasted below for reference) by making use of the "Website Monitoring" add on.
It has however been observed, that a few URLS randomly generate a non 200 HTTP status codes that automatically get resolved in the next iteration.
We've therefore been asked to implement a logic wherein an alert should only be raised if a URL fails two times consecutively.

Query:

index=urlperf sourcetype="web_ping"
[| inputlookup URL_Title.csv]
| stats latest(response_code) as response_code latest(_time) as _time by url
| where response_code>=300
| eval Status="Down",Timestamp=strftime(_time,"%d/%m/%Y %H:%M:%S")
| rename response_code as "HTTP Response Code" url as URL
| table Timestamp,URL,"HTTP Response Code", Status
| dedup URL

An an example : Considering URL being monitored is "http://mywebsite.com" with frequency as 5 mins ,
the stake holders want an alert to be raised only for "case 2" and NOT for "case1" .
Could some one please help, on how could we accomplish this through a splunk alert.

case 1 :08:00 hrs url=http://mywebsite.com response_code=404 timed_out=False

              08:05 hrs url=http://mywebsite.com response_code=200 timed_out=False

case 2 :08:00 hrs url=http://mywebsite.com response_code=504 timed_out=False

               08:05 hrs url=http://mywebsite.com response_code=401 timed_out=False

Thank you in advance !

Labels (3)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...