Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find time between groups of events

Jesterhead
Engager
‎11-05-2012 04:25 PM

So we log an event every hour which will either contain a true or a false. True when we are up and running ok, and false when we are down/not running at full capacity. I've been asked to use this data to track downtime for each of our sites. So for example we might have 12 events that read 'True' surrounded by many 'False' on either side of it, and then days later have a 'pocket' of events that read true again. I'm quite new to Splunk so please excuse any ignorance.

I'm looking for total amount of up time vs down time as well as the individual time for each 'pocket' of events that read true. Is this possible in any capacity to do in Splunk?

Many thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2012 10:40 PM

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2012 10:40 PM

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎11-06-2012 10:48 AM

I just fixed a missing closing parentesis in the rex command.

0 Karma
Reply
Solved! Jump to solution

Jesterhead
Engager
‎11-06-2012 10:36 AM

Great thanks for the help. I'm having trouble setting the rex command. What exactly do I need to plug into it for it to go through?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...