Solved: How to generate a timechart search for a running p...

ajobling1964 · ‎07-14-2017

I have an SLA that states for a 12 month window the average availability must be > 95%. This can be calculated for today in a straightforward manner e.g. sucessful pings / total pings for the last 365 days and this gives the current performance against sla. However I have been request to track this over time i.e.. what was the overall performance (year to date) on each day up until the current date. Can this be done in Splunk?

cmerriman · ‎07-14-2017

if i'm understanding, yes.

so your time range would be earliest=-366d@d latest=@d and that would get you 365 days ago from yesterday through yesterday.

if you need to calculate the daily availability and the overall, it would be something like this:

|timechart span=1d sum(successfulPings) as successfulPings sum(totalPings) as totalPings
|eventstats sum(successfulPings) as successfulPings365 sum(totalPings) as totalPings365
|eval dailyAvailability=round(successfulPings/totalPings*100,2)
|eval Rolling365Availability=round(successfulPings365/totalPings365*100,2)

does that work/make sense?

View solution in original post

cmerriman · ‎07-14-2017

if i'm understanding, yes.

so your time range would be earliest=-366d@d latest=@d and that would get you 365 days ago from yesterday through yesterday.

if you need to calculate the daily availability and the overall, it would be something like this:

|timechart span=1d sum(successfulPings) as successfulPings sum(totalPings) as totalPings
|eventstats sum(successfulPings) as successfulPings365 sum(totalPings) as totalPings365
|eval dailyAvailability=round(successfulPings/totalPings*100,2)
|eval Rolling365Availability=round(successfulPings365/totalPings365*100,2)

does that work/make sense?

ajobling1964 · ‎07-17-2017

Thank you for your response.

I am still struggling to get the output I require. I need to know on a given day in the year, what was the average availability up until that point in the year; Idealy I would want to plot this in a chart.

cmerriman · ‎07-17-2017

oh i'm sorry, i misunderstood then.

 |timechart span=1d sum(successfulPings) as successfulPings sum(totalPings) as totalPings
 |streamstats global=t current=t sum(successfulPings) as successfulPingsTD sum(totalPings) as totalPingsTD
 |eval RollingToDateAvailability=round(successfulPingsTD/totalPingsTD*100,2)

try something like this. the streamstats should add in a rolling sum for each day, and the eval should add the percentage.

ajobling1964 · ‎07-17-2017

Thanks - that seems to be close to what I need - I just need to verify the figures now.

ajobling1964 · ‎07-18-2017

I now have it working and the figures are fine. The only problem is the chart doesn't display too well because availability is circa 95% whereas the running total of pings is many thousand. could the results be piped into another chart?

cmerriman · ‎07-18-2017

could you do a chart overlay? put the percentage on one axis and the total pings on the other?

How to generate a timechart search for a running percentage?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms