Security

How create Splunk alert based on HTTP status codes?

Pathik
Explorer

After searching various posts around HTTP status codes, ended up posting new question 😞

 

I would like to create alert if failures are 5% of total traffic. 

My criteria of failure is anything that doesn't match HTTP status code 200, 400, 401, 403

 

Thanks in advance

Pathik

Labels (1)
0 Karma

vinothkumark
Explorer

Hi, can you help on the query if multiple condition needs to be met in the same query? 
Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @Pathik Can you try this.

<your_search> status!=200 OR status!=400 OR status!=401 OR status!=403  
| stats count by status 
| addcoltotals count 
| eventstats max(count) as total 
| eval perc=count/total * 100 
| where perc > 5 AND isnotnull(status) | fields - total
0 Karma

Pathik
Explorer

Thanks @venkatasri ,

Its not working, applied what you shared. but getting only bad requests. (success count not coming in output at all it seems)

 

Any other things to change?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<your search>
| eval fail=if(status IN (200,400,401,403),0,1)
| stats count as total sum(fail) as fails
| eval percent=100*fails/total
| where percent>5

Pathik
Explorer

Works like a charm @ITWhisperer , thanks a ton

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...