Splunk Search

How do I use the data from a ping script to build a 30 day availability chart?

heybails88
Path Finder

I have a ping script sending up and down info to a log. I've parsed out the IP to node name using a lookup table, a regex, and an updown extraction report, but how can I push that into a chart that shows the status of each node, up or down, over 30 days? Basically, what happens when I do what I'm doing is things just repeat over and over again unless the status changes. Here's what I have right now:

index=index IPregex=* upordown=* | rename IPregex as IP | lookup nodes.csv IP |dedup IP |table _time,NODENAME,up_or_down

Any help would be greatly appreciated.

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

My first try will be this so see if matches or close to what you expect.

index=index IPregex=* upordown=* | rename IPregex as IP | lookup nodes.csv IP | eval upordown=if(upordown="available",1,0) | timechart span=1d max(upordown) by NODENAME limit=0

If you use a column chart with above search, it'll show a column (with value 1) for a node that was up atleast once that day. If was down for whole day, it will show no value, indicating down. If you change the span to 1 hour or 1h, the same will be shown for hour. You can also change upordown value to -1 for down (second part of eval), so that it'll show a negative column instead of no column when node was down for whole span.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

My first try will be this so see if matches or close to what you expect.

index=index IPregex=* upordown=* | rename IPregex as IP | lookup nodes.csv IP | eval upordown=if(upordown="available",1,0) | timechart span=1d max(upordown) by NODENAME limit=0

If you use a column chart with above search, it'll show a column (with value 1) for a node that was up atleast once that day. If was down for whole day, it will show no value, indicating down. If you change the span to 1 hour or 1h, the same will be shown for hour. You can also change upordown value to -1 for down (second part of eval), so that it'll show a negative column instead of no column when node was down for whole span.

heybails88
Path Finder

OK, thanks. I'll let you know.

0 Karma

heybails88
Path Finder

well, it's basically a chart with a right side legend of 5 pages of nodes and not graph. But I like where you're going with this. What ultimately I need is a simple graph or table showing a percentage up time of each node on the list (about 43 of them) for a sales person so she can report that this node has been up for 30 days straight or whatever if a customer complains that they aren't getting data. So perhaps the table with "bright lights" is where I need to go with this, if you know what I mean.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=index IPregex=* upordown=* | rename IPregex as IP | lookup nodes.csv IP
| chart count over NODENAME by upordown | eval Availability=round((available*100)/(available+down))
| table NODENAME Availability
| rangemap field=Availability severe=0-75 elevated=75-99 default=low
0 Karma

heybails88
Path Finder

I like it!!! Thanks. I'm actually going to use both and build a nice dashboard with drop downs to pick the node. Thanks for your help.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Glad it's useful for you. If they are no followup questions, don't forget to close the question by accepting the answer.

0 Karma

heybails88
Path Finder

I do have one more issue. I've tried to create a single panel using the above that searches for one node in the "IPregex". This only works for any node that isn't at 100% or in the top range. So any node that's ok, doesn't appear in the Availability column. Here's the comparison of the two searches (I made some changes to the original search...I just took out the rangemap and used graph color ranges).

So the working search:
index=index IPregex=* upordown=* |rename upordown as status | rename IPregex as IP |lookup nodes.csv IP |chart count over NODENAME by status | eval Availability=round((available*100)/(available+down),2) | table NODENAME,Availability

The non-working search:
index=index IPregex=10.0.0.1 upordown=* |rename upordown as status | rename IPregex as IP |lookup nodes.csv IP |chart count over NODENAME by status | eval Availability=round((available*100)/(available+down),2) | table NODENAME,Availability

0 Karma

heybails88
Path Finder

Just made a change and took out the IPregex and just replaced it with $field2$. That brought in the nodes that are in the green range, but not anything that is 100.00. So it has something to do with the round and the decimal I believe.

0 Karma

heybails88
Path Finder

Nope that didn't fix it. Singled out nodes using the same search do not show anything when Availability is at 100.00. On the full node panel, it's ok.

0 Karma

heybails88
Path Finder

Needed to add a second eval to fix the above issue. "|eval down=if(isnull(down),0,down)"

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What type of values does that upordown field holds? Whats the timespan (daily hourly) that you want to use to show availability?

0 Karma

heybails88
Path Finder

just "available" or "down". I thought about putting the packet loss output in there, but thought I'd keep things simple for now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...