Forum Discussion
PDisme110
May 15, 2023Copper Contributor
status code threshold
Trying to figure out how to find events where status code 200 goes above a certain avg threshold, say 10%. I think I have the avg figured out, but unsure how to get the rest written. Any help would be appreciated.
W3CIISLog
| where TimeGenerated > ago(7d)
|where scStatus =="200"
| summarize totalCount = count() by bin(TimeGenerated, 1h), scStatus
|summarize avghits =(avg(totalCount))
1 Reply
How about this
W3CIISLog | where TimeGenerated > ago(7d) | where scStatus == "200" | summarize totalCount = count() by bin(TimeGenerated, 1h) | summarize avghits = avg(totalCount) | join kind=inner ( W3CIISLog | where TimeGenerated > ago(7d) | where scStatus == "200" | summarize totalCount = count() by bin(TimeGenerated, 1h) ) on $left.avghits == $right.avghits | extend threshold = avghits * 1.10 | where totalCount > threshold