Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with Stats command and total count of errors

shashank_24
Path Finder
‎03-05-2021 06:59 AM

Hi, I am working an setting up a alert where I need to count if there have been more than 50 count of errors in last 30 minutes.

And if there is then I need to send the alert with those pages and count. Something like below

requested_contentStatusCount
/my-app/1.html50020
/my-app/2.html50040
  60

 

Now the alert should only trigger if the sum of these counts > 50 like above. I have written a query but it only gives the count and not the pages which are throwing the error. I want to see the pages too

index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* 
| stats count by status
| where count > 50

Can someone able to advice on this how to achieve this? I want the alert to be triggered and it should output the tabular format with pages and it's count with total count > 50

Labels (2)
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 07:20 AM

The stats command discards fields it doesn't use so to make them available later in the query they must be mentioned in stats.  Try this query.

| makeresults | eval _raw="requested_content	Status
/my-app/1.html	500
/my-app/2.html	500" | multikv forceheader=1
```Above just defines test data```
| stats count by requested_content,Status
```Calculate the total count and add it as a field to each result```
| eventstats sum(count) as total
```Show the results only when the total exceeds the limit```
| where total>50
```Don't show the total field```
| fields - total
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 07:23 AM 
index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* 
| eventstats count by status
| where count > 50

However, this counts 500 and 501 and 502 etc. separately. Is this what you want? If not, and given that you are already filtering on status=50*, just use eventstats count

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 07:20 AM

The stats command discards fields it doesn't use so to make them available later in the query they must be mentioned in stats.  Try this query.

| makeresults | eval _raw="requested_content	Status
/my-app/1.html	500
/my-app/2.html	500" | multikv forceheader=1
```Above just defines test data```
| stats count by requested_content,Status
```Calculate the total count and add it as a field to each result```
| eventstats sum(count) as total
```Show the results only when the total exceeds the limit```
| where total>50
```Don't show the total field```
| fields - total
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

shashank_24
Path Finder
‎03-05-2021 07:29 AM

Thanks @richgalloway. That almost solved my purpose. Just one more thing - So right now my alert trigger condition is like this - I should have mentioned in the question Sorry.

| where (status=500 AND count > 50) OR (status=503 AND count > 30) OR (status=502 AND count > 30)

So is it possible to count the total individually by status and then trigger the alert?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 09:50 AM

Based on the new requirements, you just need the stats command from my answer.  Do be careful of cases in field names, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...