How create Splunk alert based on HTTP status codes...

Pathik · ‎07-29-2021

After searching various posts around HTTP status codes, ended up posting new question 😞

I would like to create alert if failures are 5% of total traffic.

My criteria of failure is anything that doesn't match HTTP status code 200, 400, 401, 403

Thanks in advance

Pathik

vinothkumark · ‎01-20-2023

Hi, can you help on the query if multiple condition needs to be met in the same query?
Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.

venkatasri · ‎07-29-2021

Hi @Pathik Can you try this.

<your_search> status!=200 OR status!=400 OR status!=401 OR status!=403  
| stats count by status 
| addcoltotals count 
| eventstats max(count) as total 
| eval perc=count/total * 100 
| where perc > 5 AND isnotnull(status) | fields - total

Pathik · ‎08-03-2021

Thanks @venkatasri ,

Its not working, applied what you shared. but getting only bad requests. (success count not coming in output at all it seems)

Any other things to change?

ITWhisperer · ‎08-03-2021

<your search>
| eval fail=if(status IN (200,400,401,403),0,1)
| stats count as total sum(fail) as fails
| eval percent=100*fails/total
| where percent>5

Pathik · ‎08-08-2021

Works like a charm @ITWhisperer , thanks a ton

How create Splunk alert based on HTTP status codes?

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...