Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Stats command and total count of errors

shashank_24
Path Finder
‎03-05-2021 06:59 AM

Hi, I am working an setting up a alert where I need to count if there have been more than 50 count of errors in last 30 minutes.

And if there is then I need to send the alert with those pages and count. Something like below

requested_contentStatusCount
/my-app/1.html50020
/my-app/2.html50040
  60

 

Now the alert should only trigger if the sum of these counts > 50 like above. I have written a query but it only gives the count and not the pages which are throwing the error. I want to see the pages too

index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* 
| stats count by status
| where count > 50

Can someone able to advice on this how to achieve this? I want the alert to be triggered and it should output the tabular format with pages and it's count with total count > 50

Labels (2)
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 07:20 AM

The stats command discards fields it doesn't use so to make them available later in the query they must be mentioned in stats.  Try this query.

| makeresults | eval _raw="requested_content	Status
/my-app/1.html	500
/my-app/2.html	500" | multikv forceheader=1
```Above just defines test data```
| stats count by requested_content,Status
```Calculate the total count and add it as a field to each result```
| eventstats sum(count) as total
```Show the results only when the total exceeds the limit```
| where total>50
```Don't show the total field```
| fields - total
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 07:23 AM 
index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* 
| eventstats count by status
| where count > 50

However, this counts 500 and 501 and 502 etc. separately. Is this what you want? If not, and given that you are already filtering on status=50*, just use eventstats count

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 07:20 AM

The stats command discards fields it doesn't use so to make them available later in the query they must be mentioned in stats.  Try this query.

| makeresults | eval _raw="requested_content	Status
/my-app/1.html	500
/my-app/2.html	500" | multikv forceheader=1
```Above just defines test data```
| stats count by requested_content,Status
```Calculate the total count and add it as a field to each result```
| eventstats sum(count) as total
```Show the results only when the total exceeds the limit```
| where total>50
```Don't show the total field```
| fields - total
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

shashank_24
Path Finder
‎03-05-2021 07:29 AM

Thanks @richgalloway. That almost solved my purpose. Just one more thing - So right now my alert trigger condition is like this - I should have mentioned in the question Sorry.

| where (status=500 AND count > 50) OR (status=503 AND count > 30) OR (status=502 AND count > 30)

So is it possible to count the total individually by status and then trigger the alert?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 09:50 AM

Based on the new requirements, you just need the stats command from my answer.  Do be careful of cases in field names, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...