Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Stats -- Alert When Count Exceeds Threshold

vragosta
Path Finder
‎07-25-2013 06:49 AM

I'm sure this is easy to do, but I'm a bit stumped. Say I have a search like this:

http_status="500" | stats count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer

I want to generate an alert if the aggregate count is greater than a specified threshold, like 100, but cannot figure out how to do this...

Any help is appreciated.

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-25-2013 07:18 AM

Based on the comment under jtrucks answer:

http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-25-2013 07:18 AM

Based on the comment under jtrucks answer:

http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats

Reply
Solved! Jump to solution

vragosta
Path Finder
‎07-25-2013 07:23 AM

Thanks! Looks like this will work as intended.

0 Karma
Reply
Solved! Jump to solution

jtrucks
Splunk Employee
Splunk Employee
‎07-25-2013 06:57 AM

Just add a where clause at the end like:

| where count > 100

--
Jesse Trucks
Minister of Magic
Reply
Solved! Jump to solution

vragosta
Path Finder
‎07-25-2013 07:03 AM

Actually, neither of these will work. I don't want to know where a single aggregate sum exceeds 100. I want to know if the sum total of all of the aggregate sums exceeds 100. For example, I may have something like this:

client_address url server count
10.0.0.1 /stuff /myserver.com 50
10.0.0.2 /stuff2 /myserver.com 51

I want the above result set to generate an alert because 50+51 > 100. If I simply check where count > 100, then any one result would need to have a count of 100 or more for the alert to be generated.

Hope this makes sense.

Thanks,

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎07-25-2013 06:57 AM

Hello,
i would say like:
http_status="500" | stats count(http_status) as Error_Count by url|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,Error_Count|where Error_Count > 100

You can also get rid of some fields which are not really required, to keep the result table clean.

Reply
Solved! Jump to solution

linu1988
Champion
‎07-25-2013 07:29 AM

For the below requirement i would do stats count only, But will not be able to show other details. I would do a join to just show the count.

http_status="500" | stats count by url|join host[http_status="500" | stats count(http_status) as Error_Count]|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,count,Total_Error_Count|where Total_Error_Count > 100

this will show you Total_Error_count same for each of the urls/ips.

Hope this gives you a hint, but it's not the correct condition for alert to see.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...