Re: setup alert based on host event count compared...

prakashaig · ‎04-15-2020

I have 3 webservers which takes the traffic and that is load balanced with least connection based without any sticky sessions, so the traffic will be evenly loaded b/w these servers. looking to create alert if any of the host have less event count comparatively. have the below basic query which will look for specific event on all 3 access logs. we can get alert if there is no event by adding | search eventCount=0 but i need to get alert comparing to other host for example x server has 25 events and other server has 100 events which is above my threshold (75% difference). this will help me trouble shot the LB or may the process is X server is taking longer time to respond or something.

index=x AND (host="x" OR host="y" OR host="z" ) AND source="*access" AND "xyz.com"
| search ResponseCode=200
| inputlookup append=t apache_httpd.csv
| stats count as eventCount by host

apache_httpd.csv is nothing but as below
host
x
y
z

renjith_nair · ‎04-16-2020

@prakashaig ,

You might need to find an avg event count (baseline) for the hosts and calculate the percentage of difference based on that.

Try if this works for you

your current search
|eventstats avg(eventCount ) as Avg
|eval percentage=abs(round((eventCount-avg)/avg*100,2))

Alert based on the percentage of deviation

---
What goes around comes around. If it helps, hit it with Karma 🙂

setup alert based on host event count compared with other host

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation