I have some device logs and am trying to determine the outage (downtime) duration.
Problem I have here is that events are being constantly thrown and I have difficulty capturing the right one to determine the downtime
FIRSTOCCURRENCE LASTOCCURRENCE SUMMARY
1 2016-10-12 16:11:17 2016-10-12 16:11:17 Interface Down:
3 2016-11-06 01:59:14 2016-11-06 01:59:14 Interface Down:
4 2016-11-06 01:59:14 2016-11-06 01:59:14 Interface Down:
5 2016-11-06 02:00:01 2016-11-06 02:00:01 Interface Up:
6 2016-11-06 02:00:01 2016-11-06 02:00:01 Interface Up:
7 2016-11-08 00:56:09 2016-11-08 00:56:09 Interface Down:
8 2016-11-08 00:56:09 2016-11-08 00:56:09 Interface Down:
10 2016-11-08 00:56:09 2016-11-08 00:56:09 Interface Down:
11 2016-11-08 00:56:55 2016-11-08 00:56:55 Interface Up:
12 2016-11-08 00:56:55 2016-11-08 00:56:55 Interface Up:
13 2016-11-08 01:05:55 2016-11-08 01:05:55 Interface Up:
Difference between The FIRSTOCCURRENCE of the First "Interface Down" and the FIRSTOCCURRENCE of the First "Interface up" is the Total Outage Hours
According to the Example above : outage 1 (2016-10-12 16:11:17 - 2016-11-06 02:00:01) outage 2 (2016-11-08 00:56:09 - 2016-11-08 00:56:55)
Currently am using transaction command. But it takes the whole outage as outage hours i.e. outage_hours is 2016-10-12 16:11:17 - 2016-11-08 01:05:55
basic search | transaction HOSTNAME, startswith=(SUMMARY="Interface Down:") endswith=(SUMMARY="Interface Up:") keeporphans=true keepevicted=true maxspan=28d
Any suggestions is appreciated !
any chance you can adjust the logs to also add the name of the actual interface as a field? You could then try "| transaction hostname interface startswith..."