Re: Splunk alert based on HTTP status codes

Pathik · ‎07-29-2021

After searching various posts around HTTP status codes, ended up posting new question 😞

I would like to create alert if failures are 5% of total traffic.

My criteria of failure is anything that doesn't match HTTP status code 200, 400, 401, 403

Thanks in advance

Pathik

vinothkumark

Hi, can you help on the query if multiple condition needs to be met in the same query?
Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.

venkatasri · ‎07-29-2021

Hi @Pathik Can you try this.

<your_search> status!=200 OR status!=400 OR status!=401 OR status!=403  
| stats count by status 
| addcoltotals count 
| eventstats max(count) as total 
| eval perc=count/total * 100 
| where perc > 5 AND isnotnull(status) | fields - total

Pathik · ‎08-03-2021

Thanks @venkatasri ,

Its not working, applied what you shared. but getting only bad requests. (success count not coming in output at all it seems)

Any other things to change?

ITWhisperer · ‎08-03-2021

<your search>
| eval fail=if(status IN (200,400,401,403),0,1)
| stats count as total sum(fail) as fails
| eval percent=100*fails/total
| where percent>5

Pathik · ‎08-08-2021

Works like a charm @ITWhisperer , thanks a ton

How create Splunk alert based on HTTP status codes?

other

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

Observability Highlights | January 2023 Newsletter

Security Highlights | January 2023 Newsletter