Splunk Search

How to calculate the duration of a CRITICAL event?

davidcraven02
Communicator

Is it possible to be able to calculate the total length of time that this host has had a CRITICAL status for if it?

In the screenshot, it has had a CRITICAL status for approx 3 hours 43 minutes indicated.

alt text

Below query for one host

index=ad source=dfs host=nas01n
    | eval host = lower(host) 
    | table _time, host, "Folder Name", "Group Name", State 
    | fillnull value="Folder Not Enabled" "Folder Name"
    | fillnull value="No Group Name" "Group Name"
0 Karma

FrankVl
Ultra Champion

Try below. It uses streamstats to calculate a running duration of a certain state and keeps track of the last timestamp. This last timestamp is then used to find the events that mark the end of period in a certain state. These events will have the duration of that period in them from the streamstats command. Summing duration by state will then give you the total duration a host has been in each state.

index=ad source=dfs host=nas01n
| eval host = lower(host) 
| table _time, host, "Folder Name", "Group Name", State 
| fillnull value="Folder Not Enabled" "Folder Name"
| fillnull value="No Group Name" "Group Name"
| sort _time
| streamstats reset_on_change=true range(_time) as duration latest(_time) as lastTime by State
| where _time = lastTime
| stats sum(duration) by State

davidcraven02
Communicator

Thanks but all that was returned was two columns that looks like the below , I added a PIPE to separate the fields.

State | sum(duration)
CRITICAL | 599
State | 598

0 Karma

FrankVl
Ultra Champion

What else would you like to see in the results?

PS: that sum(duration) will be in seconds if that wasn't clear.

0 Karma

davidcraven02
Communicator

I want to have each individual host listed with a column showing the total time in which the CRITICAL status has been showing.

So the table would look like

| table _time, host, "Folder Name", "Group Name", State , Duration

0 Karma

FrankVl
Ultra Champion

Try remove that last | stats... line from my solution, is that what you're looking for?

Note, if you want to apply this to multiple hosts, you'll need to make some more adjustments. At least it needs to be added to the by clause of the streamstats and to make that work properly, you'll also need to change the sorting to have the results grouped by host (and then sorted by _time).

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...