I am trying to monitor the percentages of 500's per endpoint of my api. I currently am returning all of the information and want to only show results if the percentage goes over 5%. (this way I can alert whenever the report is ran and there are greater than 0 results.
sourcetype=My_Api_Access_Log
| eval path=My_Path
| eval endpoint = method." ".path
| eval iserror=if(status=500,1,0)
| eval err_user=if(iserror==1, user_id, null())
| stats sum(iserror) as errors, count as total, dc(err_user) as users by endpoint
| where errors != 0
| eval percent=round(100*errors/total,2)."%"
| fields endpoint, errors, total, percent, users
| sort -percent
This is working great, but when I add:
| where percent > 5
I get no results even though I know I have endpoints over 5% error rates.
Any ideas?
... View more