Splunk Enterprise

Help with Stats command and total count of errors

shashank_24
Path Finder

Hi, I am working an setting up a alert where I need to count if there have been more than 50 count of errors in last 30 minutes.

And if there is then I need to send the alert with those pages and count. Something like below

requested_contentStatusCount
/my-app/1.html50020
/my-app/2.html50040
  60

 

Now the alert should only trigger if the sum of these counts > 50 like above. I have written a query but it only gives the count and not the pages which are throwing the error. I want to see the pages too

index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* 
| stats count by status
| where count > 50

Can someone able to advice on this how to achieve this? I want the alert to be triggered and it should output the tabular format with pages and it's count with total count > 50

Labels (2)
Tags (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The stats command discards fields it doesn't use so to make them available later in the query they must be mentioned in stats.  Try this query.

| makeresults | eval _raw="requested_content	Status
/my-app/1.html	500
/my-app/2.html	500" | multikv forceheader=1
```Above just defines test data```
| stats count by requested_content,Status
```Calculate the total count and add it as a field to each result```
| eventstats sum(count) as total
```Show the results only when the total exceeds the limit```
| where total>50
```Don't show the total field```
| fields - total
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

ITWhisperer
Ultra Champion
index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* 
| eventstats count by status
| where count > 50

However, this counts 500 and 501 and 502 etc. separately. Is this what you want? If not, and given that you are already filtering on status=50*, just use eventstats count

richgalloway
SplunkTrust
SplunkTrust

The stats command discards fields it doesn't use so to make them available later in the query they must be mentioned in stats.  Try this query.

| makeresults | eval _raw="requested_content	Status
/my-app/1.html	500
/my-app/2.html	500" | multikv forceheader=1
```Above just defines test data```
| stats count by requested_content,Status
```Calculate the total count and add it as a field to each result```
| eventstats sum(count) as total
```Show the results only when the total exceeds the limit```
| where total>50
```Don't show the total field```
| fields - total
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

shashank_24
Path Finder

Thanks @richgalloway. That almost solved my purpose. Just one more thing - So right now my alert trigger condition is like this - I should have mentioned in the question Sorry.

| where (status=500 AND count > 50) OR (status=503 AND count > 30) OR (status=502 AND count > 30)

So is it possible to count the total individually by status and then trigger the alert?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Based on the new requirements, you just need the stats command from my answer.  Do be careful of cases in field names, though.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!