Splunk Queries

Tomcat Response errors

HTTP/HTTPS requests have over 200 errors within a 10 second period of time (we may want to consider tuning this, but let’s see what 200 alerts on now.

sourcetype="tomcat:access:log"
| bucket _time span=10s
| rex field=_raw "(?ms)^[^\"\\n]*\"(?P<firstLineofRequest>[^\"]+)\"\\s+(?P<httpStatusCode>\\d+)\\s+(?P<bytesSentCount>[^ ]+)"
| search httpStatusCode>399
| stats count(httpStatusCode) AS STCount
| search STCount>200

HTTP/HTTPS requests do not respond after 10 seconds

sourcetype="tomcat:access:log"
| bucket _time span=10s
| rex field=_raw "(?ms)^[^\"\\n]*\"(?P<firstLineofRequest>[^\"]+)\"\\s+(?P<httpStatusCode>\\d+)\\s+(?P<bytesSentCount>[^ ]+)"
| search httpStatusCode>0
| stats count(httpStatusCode) AS STCount
| search STCount<0

Nate Crisler

Nate Crisler is a data enthusiast, who by day helps resolve complex issues by aggregating and correlating data, and by night builder of Nutanix and hunter of trolls (the cyber-bullying type). Nutanix NTC 2019 and Splunk advocate for life.

Read More...

Top Posts

Recent Posts

categories

tags