Solved: Generate percentage and filter based on it from ev...

arun_kant_sharm · ‎11-25-2019

Hi Experts,
I need to create a alert , if HTTPCode_Target_5XX_Count is greater than 5% of Total count then i need to send alert mail.
My SPL

sourcetype=aws:cloudwatch
| spath path=Average
| spath path=Maximum
| spath path=Minimum 
| spath path=SampleCount 
| spath path=Sum 
| spath path=Unit
| spath path=account_id
| spath path=metric_dimensions 
| spath path=metric_name
| spath path=period
| spath path=timestampe 
| search metric_dimensions="*app/adj-tok-nonprod-web-in-alb/*" AND metric_name=HTTPCode_Target*  | stats sum(SampleCount)  by metric_name |rename sum(SampleCount)  as SampleCount |  addtotals row=f col=t labelfield=metric_name  SampleCount

Output Format:

metric_name              SampleCount
HTTPCode_Target_2XX_Count       14684
HTTPCode_Target_3XX_Count        9551
HTTPCode_Target_4XX_Count         189
HTTPCode_Target_5XX_Count          44
Total                           24468

Suggest what i need to append in my SPL to get proper result

woodcock · ‎11-25-2019

Like this:

index="YouShouldAlwaySpecifyAnIndex" AND sourcetype="aws:cloudwatch"
| spath path=Average
| spath path=Maximum
| spath path=Minimum 
| spath path=SampleCount 
| spath path=Sum 
| spath path=Unit
| spath path=account_id
| spath path=metric_dimensions 
| spath path=metric_name
| spath path=period
| spath path=timestampe 
| search metric_dimensions="*app/adj-tok-nonprod-web-in-alb/*" AND metric_name=HTTPCode_Target* 
| stats sum(SampleCount) AS SampleCount BY metric_name
| eventstats sum(SampleCount) AS GrandTotal
| eval pct = 100 * (SampleCount / GrandTotal)
| where pct > 5

View solution in original post

woodcock · ‎11-25-2019

Like this:

index="YouShouldAlwaySpecifyAnIndex" AND sourcetype="aws:cloudwatch"
| spath path=Average
| spath path=Maximum
| spath path=Minimum 
| spath path=SampleCount 
| spath path=Sum 
| spath path=Unit
| spath path=account_id
| spath path=metric_dimensions 
| spath path=metric_name
| spath path=period
| spath path=timestampe 
| search metric_dimensions="*app/adj-tok-nonprod-web-in-alb/*" AND metric_name=HTTPCode_Target* 
| stats sum(SampleCount) AS SampleCount BY metric_name
| eventstats sum(SampleCount) AS GrandTotal
| eval pct = 100 * (SampleCount / GrandTotal)
| where pct > 5

woodcock · ‎11-25-2019

P.S. Your subject stinks. Try harder next time.

woodcock · ‎11-26-2019

I fixed it for you.

renjith_nair · ‎11-25-2019

@arun_kant_sharma ,

Try

sourcetype=aws:cloudwatch | spath path=Average
| spath path=Maximum
| spath path=Minimum
| spath path=SampleCount
| spath path=Sum
| spath path=Unit
| spath path=account_id
| spath path=metric_dimensions
| spath path=metric_name
| spath path=period
| spath path=timestampe
| search metric_dimensions="app/adj-tok-nonprod-web-in-alb/" AND metric_name=HTTPCode_Target* 
| stats sum(SampleCount) as total,sum(eval(if(metric_name=="HTTPCode_Target_5XX_Count",SampleCount,0))) as 5xx
| eval perc=round((5xx/total)*100,2)
| where perc > 5

---
What goes around comes around. If it helps, hit it with Karma 🙂

Generate percentage and filter based on it from events with count in them (so I cannot use "top")?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio