I'm sure this is easy to do, but I'm a bit stumped. Say I have a search like this:
http_status="500" | stats count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer
I want to generate an alert if the aggregate count is greater than a specified threshold, like 100, but cannot figure out how to do this...
Any help is appreciated.
Thanks!
Based on the comment under jtrucks answer:
http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100
Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats
Based on the comment under jtrucks answer:
http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100
Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats
Thanks! Looks like this will work as intended.
Just add a where clause at the end like:
| where count > 100
Actually, neither of these will work. I don't want to know where a single aggregate sum exceeds 100. I want to know if the sum total of all of the aggregate sums exceeds 100. For example, I may have something like this:
client_address url server count
10.0.0.1 /stuff /myserver.com 50
10.0.0.2 /stuff2 /myserver.com 51
I want the above result set to generate an alert because 50+51 > 100. If I simply check where count > 100, then any one result would need to have a count of 100 or more for the alert to be generated.
Hope this makes sense.
Thanks,
Hello,
i would say like:
http_status="500" | stats count(http_status) as Error_Count by url|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,Error_Count|where Error_Count > 100
You can also get rid of some fields which are not really required, to keep the result table clean.
For the below requirement i would do stats count only, But will not be able to show other details. I would do a join to just show the count.
http_status="500" | stats count by url|join host[http_status="500" | stats count(http_status) as Error_Count]|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,count,Total_Error_Count|where Total_Error_Count > 100
this will show you Total_Error_count same for each of the urls/ips.
Hope this gives you a hint, but it's not the correct condition for alert to see.