Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Stats command and total count of errors

shashank_24
Path Finder
‎03-05-2021 06:59 AM

Hi, I am working an setting up a alert where I need to count if there have been more than 50 count of errors in last 30 minutes.

And if there is then I need to send the alert with those pages and count. Something like below

requested_contentStatusCount
/my-app/1.html50020
/my-app/2.html50040
  60

 

Now the alert should only trigger if the sum of these counts > 50 like above. I have written a query but it only gives the count and not the pages which are throwing the error. I want to see the pages too

index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* 
| stats count by status
| where count > 50

Can someone able to advice on this how to achieve this? I want the alert to be triggered and it should output the tabular format with pages and it's count with total count > 50

Labels (2)
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 07:20 AM

The stats command discards fields it doesn't use so to make them available later in the query they must be mentioned in stats.  Try this query.

| makeresults | eval _raw="requested_content	Status
/my-app/1.html	500
/my-app/2.html	500" | multikv forceheader=1
```Above just defines test data```
| stats count by requested_content,Status
```Calculate the total count and add it as a field to each result```
| eventstats sum(count) as total
```Show the results only when the total exceeds the limit```
| where total>50
```Don't show the total field```
| fields - total
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 07:23 AM 
index=myindex_prodsourcetype=ssl_access_combined requested_content="/my-app/*" status=50* 
| eventstats count by status
| where count > 50

However, this counts 500 and 501 and 502 etc. separately. Is this what you want? If not, and given that you are already filtering on status=50*, just use eventstats count

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 07:20 AM

The stats command discards fields it doesn't use so to make them available later in the query they must be mentioned in stats.  Try this query.

| makeresults | eval _raw="requested_content	Status
/my-app/1.html	500
/my-app/2.html	500" | multikv forceheader=1
```Above just defines test data```
| stats count by requested_content,Status
```Calculate the total count and add it as a field to each result```
| eventstats sum(count) as total
```Show the results only when the total exceeds the limit```
| where total>50
```Don't show the total field```
| fields - total
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

shashank_24
Path Finder
‎03-05-2021 07:29 AM

Thanks @richgalloway. That almost solved my purpose. Just one more thing - So right now my alert trigger condition is like this - I should have mentioned in the question Sorry.

| where (status=500 AND count > 50) OR (status=503 AND count > 30) OR (status=502 AND count > 30)

So is it possible to count the total individually by status and then trigger the alert?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 09:50 AM

Based on the new requirements, you just need the stats command from my answer.  Do be careful of cases in field names, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...