- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to calculate uptime based on below result, (to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to calculate uptime based on below result, (total no of up events)*100/(total no of events)
8/27/12 10:24:04.000 AM server=Test and status=Up host=test1
8/27/12 10:24:04.000 AM server=test1 and status=Up host=test1
8/27/12 10:24:04.000 AM server=test2 and status=Down host=test1
8/27/12 10:24:00.000 AM server=test3 and status=Up host=test1
8/27/12 10:23:04.000 AM server=test4 and status=Down host=test1
i tried running the query:
sourcetype="result"| stats count as num_events , count(eval(status=Up)) as upevent by server
but not working as expected, unable to get the numbers of up event and total events together
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just add the "by" clause to the stats command:
sourcetype=result| eval up_int=if(status="Up",1,0)| stats count as num_events , sum(up_int) as num_up by host| eval uptime=num_up*100/num_events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=result| eval up_int=if(status="Up",1,0)| stats count as num_events, sum(up_int) as num_up by server| eval uptime=num_up*100/num_events|fields server uptime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wonder if your formula really represents uptime. I would calculate it like this:
sourcetype=result | fields server | dedup server
| map [ search sourcetype=result server=$server$ | sort _time | delta _time as timeDelta
| streamstats last(status) as lastStatus
| status sum(eval(lastStatus="Down")) as downtime sum(eval(lastStatus="Up")) as uptime
| eval percentUptime = round((uptime*100)/(uptime+downtime),1)
| fields server, uptime, downtime, percentUptime ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is working for me and giving correct uptime...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks dwaddle,
i have modified above search to
sourcetype=result| eval up_int=if(status="Up",1,0)| stats count as num_events , sum(up_int) as num_up| eval uptime=num_up*100/num_events
result:
num_events num_up uptime
1 366 305 83.333333
how can we get the result by server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One alternative approach could work something like this:
sourcetype=result
| eval up_int=if(status="Up",1,0)
| stats count as num_events, sum(up_int) as num_up
| eval num_down=num_events - num_up
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, working fine...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=result
| eval up_int=if(status="Up",1,0)
| stats count as num_events, sum(up_int) as num_up by server
| eval num_down=num_events - num_up
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
