Solved: Re: Stats StatusCode error Rate

dpdwibedy · ‎08-05-2020

Hi There,

Need help to find the status code error rate where status code is >400.

I have below Query to time chart the error rate , which works fine...

index=apache_core userAgent!="nginx/*" source="*access.log*" requestURI!="/web/app*" NOT (requestURI="/api/xyz/*" OR requestURI="/api/yyy/*" AND statusCode=404) earliest=-30m latest=now | timechart span=5m limit=0 eval((count(eval(statusCode>=400)) / count()) * 100) as ErrorRate

But , to create an alert , I don't want the time chart , just the error rate in last 30 mins.

the stats count with the eval statement doesn't work.

Thanks,

DD

richgalloway · ‎08-05-2020

Add | fields ErrorRate to the end of the query.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-05-2020

For an alert, replace timechart with stats and eval.

index=apache_core  userAgent!="nginx/*" source="*access.log*"  requestURI!="/web/app*" NOT (requestURI="/api/xyz/*"  OR requestURI="/api/yyy/*"  AND statusCode=404) earliest=-30m latest=now 
| stats count(eval(statusCode>=400)) as errors, count as total
| eval ErrorRate = errors * 100 / total

---
If this reply helps you, Karma would be appreciated.

dpdwibedy · ‎08-05-2020

@richgalloway ,

Thanks! for the reply . It works , but I want only "ErrorRate" to be displayed.

Right now , it displays like this.

errors	total	ErrorRate
19056	679878	2.8028558064829276

richgalloway · ‎08-05-2020

Add | fields ErrorRate to the end of the query.

---
If this reply helps you, Karma would be appreciated.

dpdwibedy · ‎08-05-2020

Thanks @richgalloway . Appreciated.

Regards,

DD

Stats StatusCode error Rate

stats

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!