Hi I am getting logs one/two days older in splunk and I want to create table which will show how long CPU was high above threshold value (which is user configurable from input). for ex. lets consider I want to show sources whose cpu was high 40 and in same table want to know how long time duration it was high?
Is it possible in splunk. Please advice.
logs look like
2019-11-12 01:01:04.120, per_cpu=40
2019-11-12 01:03:04.120, per_cpu=41
Thanks.
Like this:
... | streamstats count(eval(per_cpu<=40)) AS sessionID BY host and other fields here
| reverse
| streamstats count AS serial BY sessionID host and other fields here
| where count>1
| stats min(_time) AS _time range(_time) AS duration max(per_cpu) avg(per_cpu) BY sessionID host and other fields here
| eval duration = tostring(duration, "duration")
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1d@m"), relative_time(_time,"@m"))
| makecontinuous span=1m
| eval per_cpu=random() % 5 + 40
| table _time per_cpu
`comment("this is sample data")`
| streamstats reset_after="per_cpu>40" count
| streamstats count(eval(per_cpu<=40)) as check_count
| eval check = if(per_cpu > 40 ,1,0)
| stats range(eval(if(check==1 AND count > 0,_time , NULL))) as duration by check_count
| stats sum(duration) as total_duration
| eval total_duration=tostring(total_duration,"duration")
HI, how about it?
@to4kawa - You're amazing. Thanks