Referring below query:
index=f5
| rex field=headers "Host: (?<host_url>[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3})"
| eval portal=if(cidrmatch("10.x0x.0.0/16",dest) OR cidrmatch("10.A0A.0.0/16",dest) ,"External_Portal","Internal_Portal")
| stats count(eval(status="200")) AS "ok_status", count(eval(status="404" OR status="50*")) as "not_ok_status" by dest,host_url
**| eval site_status = if("ok_status" < "not_ok_status" , "site_unavailable" , "site_available")**
| search host_url="www.*.xxx.xx" | fields + dest host_url site_status
================================================
| eval site_status = if("ok_status" < "not_ok_status" , "site_unavailable" , "site_available")
At this stage I want to put the time constraint that if within 5 minutes, if("ok_status" < "not_ok_status") then the site is unavailable.
index=f5 sourcetype=your_sourcetype "www.*" dest="10.x0x.*"
| rex field=headers "Host: (?<host_url>[^:]+?)"
| stats count(eval(status="200")) AS ok_status, count(eval(status="404" OR status="50*")) as not_ok_status by dest,host_url
| fields dest host_url ok_status not_ok_status
| eval site_status = if(ok_status < not_ok_status , "site_unavailable" , "site_available")
I modified it in various ways.how about this?
Further to above I update the query as below:
index=f5
| rex field=headers "Host: (?
| eval portal=if(cidrmatch("10.x0x.0.0/16",dest) OR cidrmatch("10.a0a.0.0/16",dest) ,"External_Portal","Internal_Portal") | search host_url="www.*.xx.xx" portal="External_Portal"
[ search index=f5 earliest=-5m latest=now
| rex field=headers "Host: (?
| stats count(eval(status="200")) AS "ok_status", count(eval(status="404" OR status="50*")) as "not_ok_status" by dest,host_url
| eval site_status = if("ok_status" < "not_ok_status" , "site_unavailable" , "site_available")
| return site_status]
| fields site_status,dest,host_url
but no results...?