I have the feeling this should be easy, but I can't figure it out. I want to determine a host's percent uptime over an arbitrary time interval. The hosts have a particular counter they send every sixty seconds if they're up, so I can search:
index=foo counter=bar | bin _time span=1m | stats dc(_time) by host
Use the addinfo
command. It will create the fields containing epoch values for info_min_time
(the lower timebound for the search, or 0 if no lower timebound exists), info_max_time
(the upper timebound for the search, or current time if no upper timebound exists), and info_search_time
(when the search was issued). So you could do something like:
... | addinfo | eval searchinterval=info_max_time-info_min_time | ...
Use the addinfo
command. It will create the fields containing epoch values for info_min_time
(the lower timebound for the search, or 0 if no lower timebound exists), info_max_time
(the upper timebound for the search, or current time if no upper timebound exists), and info_search_time
(when the search was issued). So you could do something like:
... | addinfo | eval searchinterval=info_max_time-info_min_time | ...
Bingo. Thanks.
For posterity, I had to change my stats command to avoid summarizing away the interval field:
... | stats dc(_time) as Up, values(interval) as interval by host | ...
how about
stats max(_time) as end min(_time) as start | eval rangeInSeconds=(end-start)
That's what I'm already doing in my subsearch. I was looking for a way to avoid the extra calculation.