Re: percent of sum over total elapsed time

SamPask · ‎07-16-2014

I'd like to write a report in Splunk that would give me sum(downTimeInSec) as a percentage of total time, 3 days.

The search, "site=" |chart sum(downTimeInSec) by site, gives me this
63660-Sao Paulo Campinas 736

I'd like to have something like this:

63660-SaoPauloCampinas 736 .28394%

where the 3rd column is calculated as follows ((736 sec * 100%)/(3 days*86400 sec/day))
Thanks in advance for your help.

Suda · ‎07-16-2014

Hello,

Could you try to use the following search conditions?

"site="
| stats sum(downTimeInSec) AS TotalDowmTimeInSec by site
| eval ratio = round(TotalDownTimeInSec * 100 / (3*24*60*60), 5)."%"

I hope it helps you.

Thanks.

musskopf · ‎07-16-2014

Hello,

You could use like that:

index=downtimes | addinfo | eval reportDuration=info_max_time-info_min_time | stats sum(downTimeInSec) AS totalDowntime, values(reportDuration) AS reportDuration by site | eval percentDown=(totalDowntime*100)/reportDuration

the addinfo will add some information related to your search, and now you can use it. You report will show the % based on the period you searched.

SamPask · ‎07-16-2014

here's my event line for the question
7/16/14 10:28:45.000 AM Jul 16 10:28:45 10.251.250.222 2014-7-16T10:28:45-08:00 source 14 site=Sao Paulo Campinas, downTimeInSec=736, startTime=2014-07-16T10:16:29-08:00, endTime=2014-7-16T10:28:45-08:00

percent of sum over total elapsed time

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...