Solved: How to trigger an alert if http _status code =200 ...

nilbak1 · ‎12-02-2019

How to trigger an alert if http _status code =200 is not reported in logs for any host from last 15 mins ?

nilbak1 · ‎12-02-2019

Hi @richgalloway
yes, I have been able to create the query for the alert,
I have imported lookupfile where I mentioned hosts and their count as 0 and append this with my main query and getting the desired result.
Anyways thanks for your input 🙂

View solution in original post

nilbak1 · ‎12-02-2019

Hi @richgalloway
yes, I have been able to create the query for the alert,
I have imported lookupfile where I mentioned hosts and their count as 0 and append this with my main query and getting the desired result.
Anyways thanks for your input 🙂

richgalloway · ‎12-02-2019

If you mean no host has reported code 200 then run a search over the last 15 minutes looking for http_status=200. Trigger an alert if the number of results is zero.
For any single host, it's more complex because Splunk will find hosts that have reported, but cannot find those which have not (you can't search for something that doesn't exist). The solution is to have a list of hosts and compare that list to the list of hosts which have reported code 200. Trigger an alert when the two lists don't match.

---
If this reply helps you, Karma would be appreciated.

How to trigger an alert if http _status code =200 is not reported in logs for any host from last 15 mins ?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...