Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart count for last status=up, each month

adamsmith47
Communicator
‎08-24-2018 01:00 PM

So, I've simplified my real problem down to this example with as few variables as possible. I wish I could simply alter the manor which the data is coming in, but, I can not, so I need a solution via SPL.

Here it goes:

Almost daily Splunk indexes a set of data that has two important fields, system_id and system_status. system_id is a unique identifier to each system, and system_status can have the values of "up" or "down". This data is indexed all at once, almost daily. And example of events would look like this:

One day:
08/24/2018T01:00:00 5671 up
08/24/2018T01:00:00 5672 up
08/24/2018T01:00:00 5673 down
08/24/2018T01:00:00 5674 up
08/24/2018T01:00:00 5675 up
08/24/2018T01:00:00 5676 down
08/24/2018T01:00:00 5677 up

The next day:
08/25/2018T01:00:00 5671 up
08/25/2018T01:00:00 5672 up
08/25/2018T01:00:00 5673 up
08/25/2018T01:00:00 5674 up
08/25/2018T01:00:00 5675 up
08/25/2018T01:00:00 5676 down
08/25/2018T01:00:00 5677 up

My goal: a timechart which shows the count of the number of systems "up" for the last data indexed each month. If it helps, each system_id is guaranteed to be in each set of indexed data.

This seems deceptively difficult. Many thanks to any help!

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-24-2018 01:38 PM

Try this.. It will extract the up or down value, then use conditional logic to give it a 1 or 0 then do a timechart with 1 minute spans

| rex \d+\s(?<up_or_down>\w+)
| eval state=if(up_or_down="up",1,0)
| timechart span=1m max(state) AS state
0 Karma
Reply

adamsmith47
Communicator
‎08-27-2018 09:29 AM

Thanks for the response, I should clarify my desired goal.

I'd like a timechart (coverage of 12 months, but span=1 month) which displays only 1 value per month. And that value is the number of "up" systems seen in the last data indexing for the month.

Your response did lead me to a solution which works, however, doing two timecharts in a row seems sloppy, any suggestions for a more elegant solution?

... my search
| eval state=if(system_status="up", 1, 0)
| timechart span=d@d sum(state) AS state
| timechart span=mon@mon last(state) AS state

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-27-2018 09:34 AM

You could replace the first timechart with an eventstats or simply leave it the way you got it if its fast. Please upvote/accept if this helped

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...