I have logging done on sumologic. The log JSON contains the response time of the request. Let it be a JSON key whose name is "response_time". Each request is identified by unique ID , denoted by JSON key "request_id". and a URL denoted by JSON key "url". I need to alert on a slack channel based on the following condition.
1) In a window of 10 minutes, If there are 100 requests, and if more than 5 % of requests have response time more than 100ms, then alert the "url", "request_id" and "response_time" of the all those requests.
2) If Less than Or Equal 5 % of requests have response time more than 100ms, then don't alert at all.
I wrote a query like this.
| json field=_raw "response_time" as response_time
| json field=_raw "request_id" as request_id
| if (num(response_time) > 100, 1, 0) as higher
| if (num(response_time) <= 100, 1, 0) as lower
| count as total_requests, sum(higher) as response_time_greater_than_100, sum(lower) as response_time_less_than_100
| (response_time_greater_than_100/total_requests) as failure_ratio
| where (failure_ratio > 0.05)
Above query gives me all the requests when more than 5% of requests have response_time more than 100 ms. But It gives me all requests irrespective of response time. No results are returned otherwise.
Along with this result, I want to filter above query further with requests having "response_time" > 100 ms.
Whenever there are results, it gives two tabs. One for "Messages" and another for "Aggregates". and I want to send the fields in “Messages” tab to a slack channel. Could you please help on this ?
Please sign in to leave a comment.