I have 3 webservers which takes the traffic and that is load balanced with least connection based without any sticky sessions, so the traffic will be evenly loaded b/w these servers. looking to create alert if any of the host have less event count comparatively. have the below basic query which will look for specific event on all 3 access logs. we can get alert if there is no event by adding | search eventCount=0 but i need to get alert comparing to other host for example x server has 25 events and other server has 100 events which is above my threshold (75% difference). this will help me trouble shot the LB or may the process is X server is taking longer time to respond or something.
index=x AND (host="x" OR host="y" OR host="z" ) AND source="*access" AND "xyz.com"
| search ResponseCode=200
| inputlookup append=t apache_httpd.csv
| stats count as eventCount by host
apache_httpd.csv is nothing but as below
... View more