I would like to calculate availability time based on gaps between logs
so far I have this:
index=servers sourcetype=servers_data HostName=examplehost | streamstats current=f last(_time) as last_time by HostName | eval gap = last_time - _time | where gap > 320 | convert ctime(last_time) as last_time | stats sum(gap) AS Unavailability_sec by HostName | addinfo | eval range = info_max_time - info_min_time | eval Availability= 100 - (Unavailability_sec* 100 / range) | stats count | eval msg = if(count!=0, Availability, "100" ) | table msg
But when it reach gaps means count != 0 then its always showing no results found.
Try this
index=servers sourcetype=servers_data HostName=examplehost | streamstats current=f last(_time) as last_time by HostName | eval gap = last_time - _time | eval Unavailability=if(gap > 320,gap,0) | addinfo | eval range = info_max_time - info_min_time | stats sum(Unavailability) AS Unavailability_sec max(range) as range by HostName | eval Availability= 100 - (Unavailability_sec* 100 / range)
Gives availability per host.
Try this
index=servers sourcetype=servers_data HostName=examplehost | streamstats current=f last(_time) as last_time by HostName | eval gap = last_time - _time | eval Unavailability=if(gap > 320,gap,0) | addinfo | eval range = info_max_time - info_min_time | stats sum(Unavailability) AS Unavailability_sec max(range) as range by HostName | eval Availability= 100 - (Unavailability_sec* 100 / range)
Gives availability per host.
Thanks! it is working as should 🙂