Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duration Filter help

jerinvarghese
Communicator
‎12-09-2020 02:39 AM

Hi All,

Need help in the Duration filter.

Code: 

 

index=opennms "ciscoLwappApIfUpNotify" OR "ciscoLwappApIfDownNotify"
| rex field=eventuei "ciscoLwappApIf(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| where Status="DownNotify"

| fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S")
| eval Downtime = now() - Time
| eval Downtime = tostring(Downtime, "duration")
| rex field=Downtime "(?P<Downtime>[^.]+)"

| table nodelabel, Status, Downtime, Time

 

 

Sample output: 

nodelabelStatusDowntimeTime
USBTNBTECEDownNotify0:12:0212/9/2020 2:36
USJOLWLCDownNotify1:31:2112/9/2020 2:17
USMBPDownNotify2:08:2512/9/2020 1:39

 

Requirement is.: 

Filter/remove all those values less than 1 hr Downtime.

Tried all possibilities  "| where duration >3600"  but no output coming when giving this. Please suggest a solution. 

Labels (4)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎12-09-2020 02:50 AM

@jerinvarghese , you should filter the Downtime values before formatting like below;

index=opennms "ciscoLwappApIfUpNotify" OR "ciscoLwappApIfDownNotify"
| rex field=eventuei "ciscoLwappApIf(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| where Status="DownNotify"

| fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S")
| eval Downtime = now() - Time
| where Downtime > 3600
| eval Downtime = tostring(Downtime, "duration")
| rex field=Downtime "(?P<Downtime>[^.]+)"

| table nodelabel, Status, Downtime, Time
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎12-09-2020 02:50 AM

@jerinvarghese , you should filter the Downtime values before formatting like below;

index=opennms "ciscoLwappApIfUpNotify" OR "ciscoLwappApIfDownNotify"
| rex field=eventuei "ciscoLwappApIf(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| where Status="DownNotify"

| fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S")
| eval Downtime = now() - Time
| where Downtime > 3600
| eval Downtime = tostring(Downtime, "duration")
| rex field=Downtime "(?P<Downtime>[^.]+)"

| table nodelabel, Status, Downtime, Time
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...