After searching various posts around HTTP status codes, ended up posting new question 😞
I would like to create alert if failures are 5% of total traffic.
My criteria of failure is anything that doesn't match HTTP status code 200, 400, 401, 403
Thanks in advance
Pathik
Hi, can you help on the query if multiple condition needs to be met in the same query?
Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.
Hi @Pathik Can you try this.
<your_search> status!=200 OR status!=400 OR status!=401 OR status!=403
| stats count by status
| addcoltotals count
| eventstats max(count) as total
| eval perc=count/total * 100
| where perc > 5 AND isnotnull(status) | fields - total
Thanks @venkatasri ,
Its not working, applied what you shared. but getting only bad requests. (success count not coming in output at all it seems)
Any other things to change?
<your search>
| eval fail=if(status IN (200,400,401,403),0,1)
| stats count as total sum(fail) as fails
| eval percent=100*fails/total
| where percent>5
Works like a charm @ITWhisperer , thanks a ton