Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats -- Alert When Count Exceeds Threshold

vragosta
Path Finder
‎07-25-2013 06:49 AM

I'm sure this is easy to do, but I'm a bit stumped. Say I have a search like this:

http_status="500" | stats count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer

I want to generate an alert if the aggregate count is greater than a specified threshold, like 100, but cannot figure out how to do this...

Any help is appreciated.

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-25-2013 07:18 AM

Based on the comment under jtrucks answer:

http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-25-2013 07:18 AM

Based on the comment under jtrucks answer:

http_status="500" |eventstats count as TOTAL_COUNT| stats latest(TOTAL_COUNT) as TC count by client_address, url, server_name, http_status_description, http_method, http_version, user_agent, referrer | where TC > 100

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Eventstats

Reply
Solved! Jump to solution

vragosta
Path Finder
‎07-25-2013 07:23 AM

Thanks! Looks like this will work as intended.

0 Karma
Reply
Solved! Jump to solution

jtrucks
Splunk Employee
Splunk Employee
‎07-25-2013 06:57 AM

Just add a where clause at the end like:

| where count > 100

--
Jesse Trucks
Minister of Magic
Reply
Solved! Jump to solution

vragosta
Path Finder
‎07-25-2013 07:03 AM

Actually, neither of these will work. I don't want to know where a single aggregate sum exceeds 100. I want to know if the sum total of all of the aggregate sums exceeds 100. For example, I may have something like this:

client_address url server count
10.0.0.1 /stuff /myserver.com 50
10.0.0.2 /stuff2 /myserver.com 51

I want the above result set to generate an alert because 50+51 > 100. If I simply check where count > 100, then any one result would need to have a count of 100 or more for the alert to be generated.

Hope this makes sense.

Thanks,

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎07-25-2013 06:57 AM

Hello,
i would say like:
http_status="500" | stats count(http_status) as Error_Count by url|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,Error_Count|where Error_Count > 100

You can also get rid of some fields which are not really required, to keep the result table clean.

Reply
Solved! Jump to solution

linu1988
Champion
‎07-25-2013 07:29 AM

For the below requirement i would do stats count only, But will not be able to show other details. I would do a join to just show the count.

http_status="500" | stats count by url|join host[http_status="500" | stats count(http_status) as Error_Count]|table server_name,client_address,url,http_status_description, http_method, http_version, user_agent, referrer,count,Total_Error_Count|where Total_Error_Count > 100

this will show you Total_Error_count same for each of the urls/ips.

Hope this gives you a hint, but it's not the correct condition for alert to see.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...