Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to calculate time availability based on gaps between logs?

kanet
New Member
‎06-06-2016 07:11 AM

I would like to calculate availability time based on gaps between logs
so far I have this:

index=servers sourcetype=servers_data HostName=examplehost | streamstats current=f last(_time) as last_time by HostName  | eval gap = last_time - _time | where gap > 320  | convert ctime(last_time) as last_time | stats sum(gap) AS Unavailability_sec by HostName | addinfo  | eval range = info_max_time - info_min_time  | eval Availability= 100 - (Unavailability_sec* 100 / range) | stats count | eval msg = if(count!=0, Availability, "100" ) | table msg

But when it reach gaps means count != 0 then its always showing no results found.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-06-2016 09:12 AM

Try this

index=servers sourcetype=servers_data HostName=examplehost | streamstats current=f last(_time) as last_time by HostName  | eval gap = last_time - _time | eval Unavailability=if(gap > 320,gap,0)  | addinfo  | eval range = info_max_time - info_min_time | stats sum(Unavailability) AS Unavailability_sec max(range) as range by HostName  | eval Availability= 100 - (Unavailability_sec* 100 / range)

Gives availability per host.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-06-2016 09:12 AM

Try this

index=servers sourcetype=servers_data HostName=examplehost | streamstats current=f last(_time) as last_time by HostName  | eval gap = last_time - _time | eval Unavailability=if(gap > 320,gap,0)  | addinfo  | eval range = info_max_time - info_min_time | stats sum(Unavailability) AS Unavailability_sec max(range) as range by HostName  | eval Availability= 100 - (Unavailability_sec* 100 / range)

Gives availability per host.

0 Karma
Reply
Solved! Jump to solution

kanet
New Member
‎06-07-2016 12:48 AM

Thanks! it is working as should 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...