I have an alert that checks for a percentage of requests that are 403'ing:
index=myIndex "POST /url1" OR "POST /url2 "
| stats count by statusCode
| eventstats sum(count) as percent
| eval percent=round(count*100/percent,2)
| fields percent,statusCode
| search (statusCode="403")
| search percent > 2
I'm hoping to add a condition for when traffic is slow and percentages might be skewed. How can I add a condition for the alert to fire only if the percent is > 2% of all traffic AND the amount of 403's is greater than 100?
Thanks for your help!
... View more