- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- distributing duration time into time-span buckets
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
distributing duration time into time-span buckets
I've got system uptime duration records and want to break them into hours per day. Goal is to calculate mean time to interrupt over a 14-day sliding window via streamstats.
For example, given uptime=60 (hours) at 4/18/2011 08:00:00, I'd like the following buckets:
4/15/2011 00:00:00 uptime=4
4/16/2011 00:00:00 uptime=24
4/17/2011 00:00:00 uptime=24
4/18/2011 00:00:00 uptime=8
Custom command, or other way? Thanks for any help!
Related to http://answers.splunk.com/questions/6999/stats-sumduration-by-user-date-month-date-year-not-really-a... but I need more help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This way you would not account for systems with an uptime over 14 days, am I right?
I'd propose you a different approach: for each host, only count the uptime hours which are "included" in the current rolling 14-days period, then average the numbers...
sourcetype=uptime
| eval maxHoursInPeriod=round((_time - (now() - 86400*14))/3600,0)
| eval uptimeHoursInPeriod=min(100000,uptime,maxHoursInPeriod)
| stats avg(uptimeHoursInPeriod) by machine
Here:
- maxHoursInPeriod = the maximum number of hours that host could have been up during the current time period (date of the event - date of the period start)
- uptimeHoursInPeriod = how many uptime hours the host has been up during the period. The 100000 is just used to force Splunk to perform numeric comparisons (there's an answer on this topic somewhere)
Here's some sample logdata (machine is my "host")
2011/02/03 07:00:21 - uptime=170 machine=a
2011/02/07 07:00:21 - uptime=60 machine=a
2011/02/07 09:08:47 - uptime=23 machine=b
2011/02/07 10:10:04 - uptime=7 machine=c
2011/02/07 11:59:09 - uptime=25 machine=d
2011/02/07 19:50:00 - uptime=10 machine=b
2011/02/09 10:00:00 - uptime=50 machine=a
2011/02/10 14:00:00 - uptime=74 machine=b
2011/02/11 20:00:00 - uptime=105 machine=c
2011/02/14 23:59:00 - uptime=179 machine=d
I am faking the now() to be Feb 10th, 0:0:0 GMT (epoch=1297296000), so my 14-days period actually starts on Jan 28th at 0:0:0. Here's the search I've used
sourcetype=uptime latest=1297296000 | eval p=1297296000
| eval maxHoursInPeriod=round((_time - (p - 86400*14))/3600,0)
| eval uptimeHoursInPeriod=min(100000,uptime,maxHoursInPeriod)
| stats avg(uptimeHoursInPeriod) by machine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good idea - I think this works fine for a single window position. And for a sliding window, I could run nightly and save to summary. I now realize issues if there are no uptime records within the search window, and accounting for time since the latest record, but think I can handle those. Thanks!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
