How create Splunk alert based on HTTP status codes...

Pathik · ‎07-29-2021

After searching various posts around HTTP status codes, ended up posting new question 😞

I would like to create alert if failures are 5% of total traffic.

My criteria of failure is anything that doesn't match HTTP status code 200, 400, 401, 403

Thanks in advance

Pathik

vinothkumark · ‎01-20-2023

Hi, can you help on the query if multiple condition needs to be met in the same query?
Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.

venkatasri · ‎07-29-2021

Hi @Pathik Can you try this.

<your_search> status!=200 OR status!=400 OR status!=401 OR status!=403  
| stats count by status 
| addcoltotals count 
| eventstats max(count) as total 
| eval perc=count/total * 100 
| where perc > 5 AND isnotnull(status) | fields - total

Pathik · ‎08-03-2021

Thanks @venkatasri ,

Its not working, applied what you shared. but getting only bad requests. (success count not coming in output at all it seems)

Any other things to change?

ITWhisperer · ‎08-03-2021

<your search>
| eval fail=if(status IN (200,400,401,403),0,1)
| stats count as total sum(fail) as fails
| eval percent=100*fails/total
| where percent>5

Pathik · ‎08-08-2021

Works like a charm @ITWhisperer , thanks a ton

How create Splunk alert based on HTTP status codes?

other

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!