Splunk Search

Stats -- Alert When Count Exceeds Threshold

vragosta
Path Finder

I'm sure this is easy to do, but I'm a bit stumped. Say I have a search like this:

http_status="500" | stats count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer

I want to generate an alert if the aggregate count is greater than a specified threshold, like 100, but cannot figure out how to do this...

Any help is appreciated.

Thanks!

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Based on the comment under jtrucks answer:

http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

Based on the comment under jtrucks answer:

http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats

vragosta
Path Finder

Thanks! Looks like this will work as intended.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Just add a where clause at the end like:

| where count > 100

vragosta
Path Finder

Actually, neither of these will work. I don't want to know where a single aggregate sum exceeds 100. I want to know if the sum total of all of the aggregate sums exceeds 100. For example, I may have something like this:

client_address url server count
10.0.0.1 /stuff /myserver.com 50
10.0.0.2 /stuff2 /myserver.com 51

I want the above result set to generate an alert because 50+51 > 100. If I simply check where count > 100, then any one result would need to have a count of 100 or more for the alert to be generated.

Hope this makes sense.

Thanks,

0 Karma

linu1988
Champion

Hello,
i would say like:
http_status="500" | stats count(http_status) as Error_Count by url|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,Error_Count|where Error_Count > 100

You can also get rid of some fields which are not really required, to keep the result table clean.

linu1988
Champion

For the below requirement i would do stats count only, But will not be able to show other details. I would do a join to just show the count.

http_status="500" | stats count by url|join host[http_status="500" | stats count(http_status) as Error_Count]|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,count,Total_Error_Count|where Total_Error_Count > 100

this will show you Total_Error_count same for each of the urls/ips.

Hope this gives you a hint, but it's not the correct condition for alert to see.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...