Forum Discussion
PDisme110
May 15, 2023Copper Contributor
status code threshold
Trying to figure out how to find events where status code 200 goes above a certain avg threshold, say 10%. I think I have the avg figured out, but unsure how to get the rest written. Any help would b...
Kidd_Ip
Jun 29, 2026MVP
How about this
W3CIISLog
| where TimeGenerated > ago(7d)
| where scStatus == "200"
| summarize totalCount = count() by bin(TimeGenerated, 1h)
| summarize avghits = avg(totalCount)
| join kind=inner (
W3CIISLog
| where TimeGenerated > ago(7d)
| where scStatus == "200"
| summarize totalCount = count() by bin(TimeGenerated, 1h)
) on $left.avghits == $right.avghits
| extend threshold = avghits * 1.10
| where totalCount > threshold