Splunk Search

Stats -- Alert When Count Exceeds Threshold

vragosta
Path Finder

I'm sure this is easy to do, but I'm a bit stumped. Say I have a search like this:

http_status="500" | stats count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer

I want to generate an alert if the aggregate count is greater than a specified threshold, like 100, but cannot figure out how to do this...

Any help is appreciated.

Thanks!

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Based on the comment under jtrucks answer:

http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

Based on the comment under jtrucks answer:

http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats

vragosta
Path Finder

Thanks! Looks like this will work as intended.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Just add a where clause at the end like:

| where count > 100

--
Jesse Trucks
Minister of Magic

vragosta
Path Finder

Actually, neither of these will work. I don't want to know where a single aggregate sum exceeds 100. I want to know if the sum total of all of the aggregate sums exceeds 100. For example, I may have something like this:

client_address url server count
10.0.0.1 /stuff /myserver.com 50
10.0.0.2 /stuff2 /myserver.com 51

I want the above result set to generate an alert because 50+51 > 100. If I simply check where count > 100, then any one result would need to have a count of 100 or more for the alert to be generated.

Hope this makes sense.

Thanks,

0 Karma

linu1988
Champion

Hello,
i would say like:
http_status="500" | stats count(http_status) as Error_Count by url|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,Error_Count|where Error_Count > 100

You can also get rid of some fields which are not really required, to keep the result table clean.

linu1988
Champion

For the below requirement i would do stats count only, But will not be able to show other details. I would do a join to just show the count.

http_status="500" | stats count by url|join host[http_status="500" | stats count(http_status) as Error_Count]|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,count,Total_Error_Count|where Total_Error_Count > 100

this will show you Total_Error_count same for each of the urls/ips.

Hope this gives you a hint, but it's not the correct condition for alert to see.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...