- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to compute host up times...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to compute host up times with a lookup table and importance value?
I have to take a logfile and extract certain fields to present as a percentage of availability ("UP" host_names).
I need to group two host_names with different suffixes, match if down for 5 minutes, then report as down.
Then I need to create a lookup table to match host_names as site_names to be listed on output and a "weighting" value of each site.
I have the following search:
source="/home/splunk/nagios_temp/var/nagios.log" NGTC*P OR NGTC*S status_code="DOWN" OR "CRITICAL" OR "HARD" NOT OK NOT SOFT | dedup 1 host_name sortby -_time | transaction maxspan=5s maxpause=300s | lookup TCSiteXref.csv host_name OUTPUT site_name, site_weight, total_weight | search site_name=* | stats min(site_weight) as site_weight min(total_weight) as total_weight by site_name | eval availability=(total_weight/site_weight) | fields site_name, availability | sort by - availability
My results produce a table with site_name and "availability" as the metric of weighting, not percentages of all sites up. My logic is askew.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The percentage shouldn't be : availability=(site_weight/total_weight) ?
Try the top command after eval to get % automatically
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer. I have bee n playing with top for percentages. Percentages(is supposed to equal)=the value of weight. I did try | top site_name by availability_metric which produces a backwards percentage i.e. meaning the availability(metric) is a lower number with a high percentage and all are "counts" of one.
So to your point just doing the | top (availability) after the eval produces a correct percentage of availability but no site_names field - tried fields site_name to no avail
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post some sample data and expected output? Also include 1-2 rows from lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source="/home/splunk/nagios_temp/var/nagios.log" NGTC*P OR NGTC*S status_code="DOWN" OR "CRITICAL" OR "HARD" NOT OK NOT SOFT | dedup 1 host_name sortby -_time | transaction maxspan=5s maxpause=>300s | lookup TCSiteXref.csv host_name OUTPUT site_name, site_weight, total_weight | search site_name=* | stats min(site_weight) as site_weight min(total_weight) as total_weight by site_name | eval availability_metric=(total_weight/site_weight) | fields availability_metric, site_name | top availability_metric
availability_metric count percent
703.492374 3 33.333333
684.983196 1 11.111111
671.700154 1 11.111111
658.223864 1 11.111111
530.223672 1 11.111111
436.152859 1 11.111111
305.26611 1 11.111111
Want site_names (field) to the left. And after all that I will have to get an overall percentage (only equals 99.999999% I realize) to show in a panel. Thanks
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
