Forum Discussion

PDisme110's avatar
PDisme110
Copper Contributor
May 15, 2023

status code threshold

Trying to figure out how to find events where status code 200 goes above a certain avg threshold, say 10%. I think I have the avg figured out, but unsure how to get the rest written. Any help would be appreciated. 

 

W3CIISLog
    | where TimeGenerated > ago(7d)
    |where scStatus =="200"
    | summarize totalCount = count() by bin(TimeGenerated, 1h), scStatus
    |summarize avghits =(avg(totalCount)) 

1 Reply

  • How about this

    W3CIISLog
    | where TimeGenerated > ago(7d)
    | where scStatus == "200"
    | summarize totalCount = count() by bin(TimeGenerated, 1h)
    | summarize avghits = avg(totalCount)
    | join kind=inner (
        W3CIISLog
        | where TimeGenerated > ago(7d)
        | where scStatus == "200"
        | summarize totalCount = count() by bin(TimeGenerated, 1h)
    ) on $left.avghits == $right.avghits
    | extend threshold = avghits * 1.10
    | where totalCount > threshold