Hello Splunk community,
I have an alert setup that will trigger when a website status does not equal 200:
index=perfmon host="nameofsearchhead" sourcetype=httpstatus
| where status!=200
| lookup Prod-Websites.csv url AS url OUTPUTNEW server
| table _time,url,status
The results in the statistics tab show up as three columns: time, url, status code.
The alert currently triggers whenever I receive more than 4 results (which could be 5 different urls, that had a single non-200 event each).
I would like for the alert to trigger whenever I receive more than 4 results (non-200 events) for a single url, instead.
Try like this
Alert search
index=perfmon host="nameofsearchhead" sourcetype=httpstatus
| where status!=200
| lookup Prod-Websites.csv url AS url OUTPUTNEW server
| table _time,url,status | eventstats count by url | where count>4
Alert condition
when number of results > 0
Try like this
Alert search
index=perfmon host="nameofsearchhead" sourcetype=httpstatus
| where status!=200
| lookup Prod-Websites.csv url AS url OUTPUTNEW server
| table _time,url,status | eventstats count by url | where count>4
Alert condition
when number of results > 0
Will do!
Thank you, somesoni2!