Security

How create Splunk alert based on HTTP status codes?

Pathik
Path Finder

After searching various posts around HTTP status codes, ended up posting new question 😞

 

I would like to create alert if failures are 5% of total traffic. 

My criteria of failure is anything that doesn't match HTTP status code 200, 400, 401, 403

 

Thanks in advance

Pathik

Labels (1)
0 Karma

vinothkumark
Path Finder

Hi, can you help on the query if multiple condition needs to be met in the same query? 
Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @Pathik Can you try this.

<your_search> status!=200 OR status!=400 OR status!=401 OR status!=403  
| stats count by status 
| addcoltotals count 
| eventstats max(count) as total 
| eval perc=count/total * 100 
| where perc > 5 AND isnotnull(status) | fields - total
0 Karma

Pathik
Path Finder

Thanks @venkatasri ,

Its not working, applied what you shared. but getting only bad requests. (success count not coming in output at all it seems)

 

Any other things to change?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<your search>
| eval fail=if(status IN (200,400,401,403),0,1)
| stats count as total sum(fail) as fails
| eval percent=100*fails/total
| where percent>5

Pathik
Path Finder

Works like a charm @ITWhisperer , thanks a ton

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...