Hi,
How to alert when http status=404 is over 5 percent of total traffic ?
This is the simple search query I use. Need your help to add the correct condition for the alert.
tag=NginxLogs host=www* status=404
Thanks for your help.
Try this
tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5
you can also achieve it using below query:
tag=NginxLogs host=www* status=404
| stats count by status
| eval total=[search tag=NginxLogs host=www* | stats count(src) as total | eval total="\"".total."\""| return $total]
| eval percent=round((count/total)*100,2)
| where percent>5
In my environment, this query ran faster.
you can be more efficient if you mention index=xyz in your query. (in our case we did)
Thank You!
Can you explain where do I add it in order for that to be an Alert?
Try this
tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5
Thank you very much
Can you explain where do I add it in order for that to be an Alert?