Thanks for your response, the goal is to list the IP's that is causing maximum http errors. Lets say where errors are >100.

Hi @mohsplunking,

if you need the total count of errors, the solution from @bowesmana is perfect.

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Hello gcusello,

Thanks for your inputs, However, like  I said the use case is I'm looking for IP that is causing maximum number of http errors(400s,500s) , lets say I'm trying to find a single IP that is causing  over 100 http errors . I think in the query we will have to use eval&case functions too.

Please let me know if you need further clarifications on the above.

Moh.

i @mohsplunking ,

if you ne only an alert, as I said, the solution from @bowesmana is perferct and you don't need any additional command.

the eval/case  could be useful if you need to display some additional information e.g. a level of alert quantity.

Ciao.

Giuseppe

@mohsplunking 

index=your_source_index status>=400 status<600
| stats count by ip
| where count>100

or you can do 

index=your_source_index status>=400 status<600
| top ip 
| where count > 100

but I would prefer stats over top