https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350775#M103830 <P>Hi,</P> <P>Sorry for the newbie question. We want to calculate percentage of time between 2 events over the entire search period. We use transaction and get the sum of time between each pair of events:</P> <P>| transaction dest service startswith="CRITICAL;SOFT;1" endswith=OK | stats sum(duration) as total_downtime by dest</P> <P>But we've no idea how to pass the earliest(_time) and latest(_time) of so that we can do the calculation like</P> <P>percentage = (total_downtime/(latest-earliest))*100</P> <P>Would anyone please help?<BR /> Thanks a lot.</P> Tue, 29 Sep 2020 13:12:07 GMT stwong 2020-09-29T13:12:07Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350775#M103830 <P>Hi,</P> <P>Sorry for the newbie question. We want to calculate percentage of time between 2 events over the entire search period. We use transaction and get the sum of time between each pair of events:</P> <P>| transaction dest service startswith="CRITICAL;SOFT;1" endswith=OK | stats sum(duration) as total_downtime by dest</P> <P>But we've no idea how to pass the earliest(_time) and latest(_time) of so that we can do the calculation like</P> <P>percentage = (total_downtime/(latest-earliest))*100</P> <P>Would anyone please help?<BR /> Thanks a lot.</P> Tue, 29 Sep 2020 13:12:07 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350775#M103830 stwong 2020-09-29T13:12:07Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350776#M103831 <P>Hi stwong,<BR /> try something like this:</P> <PRE><CODE>your_search | transaction dest service startswith="CRITICAL;SOFT;1" endswith=OK | stats earliest(_time) AS Earliest latest(_time) AS Latest sum(duration) as total_downtime by dest | eval percentage = (total_downtime/(Latest-Earliest))*100 </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 10 Mar 2017 10:27:11 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350776#M103831 gcusello 2017-03-10T10:27:11Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350777#M103832 <P>Ditch <CODE>transaction</CODE>; try this:</P> <PRE><CODE>... | search OK OR "CRITICAL;SOFT;1" | streamstats count(eval(searchmatch("CRITICAL;SOFT;1"))) AS sessionID BY dest service | stats range(_time) AS duration by dest service sessionID | stats sum(duration) as total_downtime by dest | addinfo | percentDown = 100 * (total_downtime)/(info_max_time - info_min_time) </CODE></PRE> Fri, 10 Mar 2017 15:29:08 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350777#M103832 woodcock 2017-03-10T15:29:08Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350778#M103833 <P>Hi Giuseppe,</P> <P>Thanks. Seems this returns time period of transaction. Can I get the time span for "your_search" ? It's Nagios log and logs status of all hosts. Some are okay and some have down/up status change. We hope to get the percentage of downtime of each host (period betwen down/up) over the entire period.</P> <P>Bye,<BR /> /st</P> Fri, 10 Mar 2017 16:30:38 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350778#M103833 stwong 2017-03-10T16:30:38Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350779#M103834 <P>Hi, thanks. Tried addinfo before but seems add earliest/latest time for transaction instead of the first search in the pipe line. </P> <P>Rgds<BR /> /st</P> Fri, 10 Mar 2017 16:32:47 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350779#M103834 stwong 2017-03-10T16:32:47Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350780#M103835 <P>In this way you have the first and the latest events of your results.<BR /> to have earliest and latest you should follow this answer:<BR /> <A href="https://answers.splunk.com/answers/334498/how-to-use-eval-on-a-token-from-a-time-picker-and.html">https://answers.splunk.com/answers/334498/how-to-use-eval-on-a-token-from-a-time-picker-and.html</A></P> <P>Bye.<BR /> Giuseppe</P> Fri, 10 Mar 2017 16:45:56 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350780#M103835 gcusello 2017-03-10T16:45:56Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350781#M103836 <P>Why don't you fintune your Table </P> <P>Try this</P> <P>Host|now vs Latest max(transaction time in minutes)</P> Fri, 10 Mar 2017 16:57:20 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350781#M103836 puneethgowda 2017-03-10T16:57:20Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350782#M103837 <P>Host 1 2 minutes <BR /> Host 2 5 minutes <BR /> Host 3 40 minutes </P> <P>Like this you can show what is the downtime of each server in minutes </P> Fri, 10 Mar 2017 17:00:07 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350782#M103837 puneethgowda 2017-03-10T17:00:07Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350783#M103838 <P>Did you actually try my search?</P> Fri, 10 Mar 2017 21:06:02 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350783#M103838 woodcock 2017-03-10T21:06:02Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350784#M103839 <P>Hi, yes, tried and see info_max_time = +infinity and info_min_time = 0.000. thanks a lot.</P> Tue, 29 Sep 2020 13:12:26 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350784#M103839 stwong 2020-09-29T13:12:26Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350785#M103840 <P>Thanks, will study and give a try.</P> <P>Bye.<BR /> /st</P> Sat, 11 Mar 2017 11:47:01 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350785#M103840 stwong 2017-03-11T11:47:01Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350786#M103841 <P>Try this:</P> <PRE><CODE>... | search OK OR "CRITICAL;SOFT;1" | streamstats count(eval(searchmatch("CRITICAL;SOFT;1"))) AS sessionID BY dest service | stats range(_time) AS duration min(_time) AS earliest BY dest service sessionID | stats sum(duration) as total_downtime min(earliest) AS earliest BY dest | eventstats min(earliest) AS earliest | percentDown = 100 * (total_downtime)/(now() - earliest) </CODE></PRE> <P>Using search time parameters would be wrong because <CODE>0</CODE> from all time would be from 1977. This uses the oldest <CODE>_time</CODE> value from all events returned in the search and <CODE>now()</CODE> as the time frame.</P> Sat, 11 Mar 2017 15:33:42 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350786#M103841 woodcock 2017-03-11T15:33:42Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350787#M103842 <P>Hello, thanks. I'm able to get the downtime of each server now. Just hope to get the percentage of downtime of each host over the entire search period (time between the first and last records for all hosts, or better to get the start/end time of time picker). Thanks.</P> Mon, 13 Mar 2017 03:25:40 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350787#M103842 stwong 2017-03-13T03:25:40Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350788#M103843 <P>Thanks, will give it a try.</P> <P>Rgds</P> Mon, 13 Mar 2017 03:27:10 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350788#M103843 stwong 2017-03-13T03:27:10Z https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350789#M103844 <P>Don't forget to upvote helpful answers and close the question by clicking <CODE>Accept</CODE> on the best one.</P> Mon, 13 Mar 2017 19:21:51 GMT https://community.splunk.com/t5/Splunk-Search/Pass-earliest-latest-in-pipeline/m-p/350789#M103844 woodcock 2017-03-13T19:21:51Z