Splunk Search

system uptime calculation

pprakash2
Explorer

I have a field uptime which is being forwarded from one of the server i want to monitor its uptime. This field has accumulated value of time in seconds. How do i calculate uptime of server in percentage given the date range.

Tags (1)
1 Solution

ehudb
Contributor

Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,

If the source looks like this:

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 



_time                 uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253

Then the following query will calculate the precentage of uptime and downtime

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 


|eval start=_time-uptime,end=_time |eval startc=start,endc=end  
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime

Result:

uptime  downtime
95.08   4.92

View solution in original post

ehudb
Contributor

Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,

If the source looks like this:

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 



_time                 uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253

Then the following query will calculate the precentage of uptime and downtime

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 


|eval start=_time-uptime,end=_time |eval startc=start,endc=end  
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime

Result:

uptime  downtime
95.08   4.92

pprakash2
Explorer

Thanks Ehud, this was helpful!

0 Karma

pprakash2
Explorer

Thanks morley, this query works for events starting with uptime 0 to some value, if server restarts, uptime starts from 0. for this scenario, the uptime calculation doesn't workout!

[2017-02-09 04:53:27,006]: host="infor-gtnalpq-msa1-1" , uptime="327"
[2017-02-09 04:53:28,006]: host="infor-gtnalpq-msa1-1" , uptime="328"
[2017-02-09 04:53:29,006]: host="infor-gtnalpq-msa1-1" , uptime="329"
[2017-02-09 04:53:30,006]: host="infor-gtnalpq-msa1-1" , uptime="330"
[2017-02-09 04:53:34,006]: host="infor-gtnalpq-msa1-1" , uptime="0"
[2017-02-09 04:53:35,006]: host="infor-gtnalpq-msa1-1" , uptime="1"
[2017-02-09 04:53:36,006]: host="infor-gtnalpq-msa1-1" , uptime="2"
[2017-02-09 04:53:37,006]: host="infor-gtnalpq-msa1-1" , uptime="3"
[2017-02-09 04:53:38,006]: host="infor-gtnalpq-msa1-1" , uptime="4"

0 Karma

pprakash2
Explorer

example splunk events below:

timestamp=15-01-2016 02:05:34.00, uptime=1231
timestamp=15-01-2016 04:07:22.00, uptime=2398
timestamp=16-01-2016 06:03:15.00, uptime=198792

if the servecr is restarted the uptime counter starts from 0. Based on these events, i need to calculate the % uptime , % downtime for the server. Could you please assist.

0 Karma

ehudb
Contributor

It would help if you will post some examples to the uptime and date range fields

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...