Aside from the solution nick posted, I came up with an alternative. (it also includes all 400 and 500 errors, not just 404 and 500) Here's the base search:
sourcetype="iis" | stats count by sc_status | eventstats sum(count) as total | eval percent = round(100*(count/total),2) . " %" | search (sc_status=4* OR sc_status=5*) | eventstats sum(count) as errortotal | eval errper = round(100*(errortotal/total),2) | fields - errortotal, total
With an alert condition of
search errper > 1
This filters it down to just the errors, and the only problem I have with it is that it keeps a column I don't want to display (errper) because removing it from the fields causes the alert not to fire. Still, it does what I need it to do so I can work on finding a way to hide that one column later.
... View more