Activity Feed
- Posted Re: Why is HTTP Event Collector listening only on 127.0.0.1 (localhost) address? on Getting Data In. 07-05-2018 03:40 PM
- Posted Re: How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100? on Alerting. 01-25-2017 08:56 AM
- Posted Re: How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100? on Alerting. 01-24-2017 05:25 PM
- Posted How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100? on Alerting. 01-24-2017 04:46 PM
- Tagged How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100? on Alerting. 01-24-2017 04:46 PM
- Tagged How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100? on Alerting. 01-24-2017 04:46 PM
- Tagged How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100? on Alerting. 01-24-2017 04:46 PM
- Tagged How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100? on Alerting. 01-24-2017 04:46 PM
- Tagged How to alert when statusCode=403 is over X percent of total traffic, and greater than a count of 100? on Alerting. 01-24-2017 04:46 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 |
07-05-2018
03:40 PM
I think I'm having a similar issue, we have an Apache2 reverse proxy in front of our Splunk instance, what type of setting did you configure to allow the HEC explicitly?
... View more
01-25-2017
08:56 AM
Oh yeah that makes sense, this works just how I needed it now, thank you!
... View more
01-24-2017
05:25 PM
Thanks for your help! Unfortunately that did not work. I tuned down my numbers to verify that the search was doing what I wanted, down to count>=1 AND percent>.5 I got "No results found" when running that, but when running my search with just the percent changed to | search percent > 2 I got a result of 0.55%
... View more
01-24-2017
04:46 PM
I have an alert that checks for a percentage of requests that are 403'ing:
index=myIndex "POST /url1" OR "POST /url2 "
| stats count by statusCode
| eventstats sum(count) as percent
| eval percent=round(count*100/percent,2)
| fields percent,statusCode
| search (statusCode="403")
| search percent > 2
I'm hoping to add a condition for when traffic is slow and percentages might be skewed. How can I add a condition for the alert to fire only if the percent is > 2% of all traffic AND the amount of 403's is greater than 100?
Thanks for your help!
... View more