Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate uptime percentage based on my data?

rakes568
Explorer
‎07-24-2017 10:33 AM

Lets say my data is like this:

8/27/12 10:30:00.000 AM server=test1 and status=Down
8/27/12 10:29:00.000 AM server=test2 and status=Up
8/27/12 10:28:00.000 AM server=test3 and status=Down
8/27/12 10:27:00.000 AM server=test4 and status=Up
8/27/12 10:26:00.000 AM server=test1 and status=Up
8/27/12 10:25:00.000 AM server=test2 and status=Down
8/27/12 10:24:00.000 AM server=test3 and status=Up
8/27/12 10:23:00.000 AM server=test4 and status=Down

I want to calculate total uptime % for each server using total uptime(sum of all time differences between up status and next down status) divided by the total time starting when Splunk receives the first status message for a server.

Reply

johnward4
Communicator
‎06-28-2020 02:12 AM

What did you end up doing for this? I'm trying to do the same calculation but I'm trying to use the 

index=_index source=*splunkd.log (event_message="*Splunkd starting*" OR event_message="*Shutting down splunkd")

0 Karma
Reply

cmerriman
Super Champion
‎07-24-2017 01:04 PM

this might be a good starting point:

|sort 0 server _time|streamstats current=f window=1 values(status) as prevStatus values(_time) as prevTime by server|eval diff=_time-prevTime

i'm not sure if you're values always go from Up to Down/Down to Up. You might need to add an eval in there that says |eval UpToDown=if(prevStatus="Up" AND status="Down",diff,null()) or something along those lines if you want it from Up to Down.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-24-2017 11:54 AM

Is the reporting of the status of the servers on a regular basis? Or does it come in only when the status changes? For example, if it comes in regularly, then I would expect to see an event every 5 minutes (or whatever intervalic is to come in). If it only comes in at a status change, then you might go the entire period of the search without a single entry for a server. This difference makes the approach to solving your problem completely different.

0 Karma
Reply

rakes568
Explorer
‎07-26-2017 12:22 AM

It's not on a regular basis. It gets reported only when status changes. But there can also be some cases, when two status consecutively received are Up(or Down).

0 Karma
Reply

jberwick_splunk
Splunk Employee
Splunk Employee
‎07-24-2017 12:37 PM

You could try using transaction this will combine the events and create a duration field which will be the time between the 2 events. "| transaction server startswith=status=Up endswith=status=Down"

You would then need to calculate the time from last 24 hrs for example and then work the percentage.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...