Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats count not working

dbashyam
Explorer
‎03-21-2019 04:28 AM

Hi, I am trying to get a table type of alerting but I am not getting the output

 index = ops host = Sr*xxxx* sourcetype=iislogs (HttpStatusCode =400 OR  HttpStatusCode = 401 OR HttpStatusCode = 403 OR HttpStatusCode = 404 OR HttpStatusCode = 405) AND (*loadbalancer* OR *gateway* OR *IFT* OR *widget* ) NOT ( *.png OR *.gif OR *.css OR *fonts* OR *.txt OR *.gif OR *.ico OR *.jpg OR *.pdf OR *.exe OR *.cgi OR *.swf OR *.vmd OR *.xsl OR *.xml OR *qualy* OR *woff* OR *.bak OR *.png OR *.svg OR *.ttf OR *.ini OR *.temp OR *.data OR *.tar OR *curl* OR *.po OR *.mo OR *.tpl OR *.tmpl OR *script*) | bin _time span=5m |stats count as avg_count by _time | where avg_count > 4 | eval alert="'splunk:".host.";crit;welcome to splunk  Error ".host.";Process;rr_os;mmtt;tt_3'" | table alert

I am expecting a table form but I don't get anything. Could you please help.

Thanks,
Dinesh

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-21-2019 04:42 AM

after you run stats count as avg_count by _time there is no longer a field called 'host'

You can resolve this by using by _time, host instead.

index=ops host=Sr*xxxx* sourcetype=iislogs (HttpStatusCode=400 OR HttpStatusCode=401 OR HttpStatusCode=403 OR HttpStatusCode=404 OR HttpStatusCode=405) AND (*loadbalancer* OR *gateway* OR *IFT* OR *widget* ) NOT ( *.png OR *.gif OR *.css OR *fonts* OR *.txt OR *.gif OR *.ico OR *.jpg OR *.pdf OR *.exe OR *.cgi OR *.swf OR *.vmd OR *.xsl OR *.xml OR *qualy* OR *woff* OR *.bak OR *.png OR *.svg OR *.ttf OR *.ini OR *.temp OR *.data OR *.tar OR *curl* OR *.po OR *.mo OR *.tpl OR *.tmpl OR *script*) 
| bin _time span=5m 
| stats count as avg_count by _time, host
| where avg_count > 4 
| eval alert="'splunk:".host.";crit;welcome to splunk  Error ".host.";Process;rr_os;mmtt;tt_3'" 
| table alert
If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-21-2019 04:42 AM

after you run stats count as avg_count by _time there is no longer a field called 'host'

You can resolve this by using by _time, host instead.

index=ops host=Sr*xxxx* sourcetype=iislogs (HttpStatusCode=400 OR HttpStatusCode=401 OR HttpStatusCode=403 OR HttpStatusCode=404 OR HttpStatusCode=405) AND (*loadbalancer* OR *gateway* OR *IFT* OR *widget* ) NOT ( *.png OR *.gif OR *.css OR *fonts* OR *.txt OR *.gif OR *.ico OR *.jpg OR *.pdf OR *.exe OR *.cgi OR *.swf OR *.vmd OR *.xsl OR *.xml OR *qualy* OR *woff* OR *.bak OR *.png OR *.svg OR *.ttf OR *.ini OR *.temp OR *.data OR *.tar OR *curl* OR *.po OR *.mo OR *.tpl OR *.tmpl OR *script*) 
| bin _time span=5m 
| stats count as avg_count by _time, host
| where avg_count > 4 
| eval alert="'splunk:".host.";crit;welcome to splunk  Error ".host.";Process;rr_os;mmtt;tt_3'" 
| table alert
If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

dbashyam
Explorer
‎03-25-2019 03:57 PM

yes that worked @nickhillscpl

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...