topic Re: Time from a search in Splunk Search

Time from a search

mariamathewtel — Tue, 23 Mar 2021 11:43:55 GMT

Hi All,

I have a query like below.

index="abc" host=xxx
| eval Indicator=if(state=="RUNNING", "10", "0")
| timechart span=5min min(Indicator) as "Trend"

and it will give me results like below.

I am trying to get the time(_time) value when there is a change in the value of Trend happens.

eg myTime = 2021-03-18 16:55:00 (When trend changes from 10 to 0)

myTime = 2021-03-18 17:25:00 (When trend changes from 0 to 10)

Can someone please help me do it. Would really appreciate if someone can help with the difference between these times also.

myTime = 2021-03-18 16:55:00

myTime = 2021-03-18 17:25:00 Difference = 30 minutes

Re: Time from a search

rnowitzki — Wed, 24 Mar 2021 11:22:32 GMT

Hi @mariamathewtel ,

Try this SPL after your search that populates the table shown in the Screenshot:

| streamstats current=f window=1 last(Trend) as prev_trend | eval trendchange=if(Trend!=prev_trend,"true", "false") | where trendchange="true" | streamstats current=f window=1 last(_time) as prev_time | eval gap=tostring(_time-prev_time, "Duration") | convert ctime(prev_time)

It will give you only the line where a change in Trend happened, including the gap since the last change took place.

Remove the line with "where" to see the whole list, I was not sure if you wanted to filter the ones without change or not.

Hope this helps.

BR
Ralph

Re: Time from a search

manjunathmeti — Wed, 24 Mar 2021 11:48:12 GMT

hi @mariamathewtel,

You can use the delta command to identify the event where the Trend value is changed and also to calculate the duration. Try this,

If this reply helps you, an upvote/like would be appreciated.

Re: Time from a search

mariamathewtel — Thu, 25 Mar 2021 07:24:35 GMT

Hi @manjunathmeti ,

this works just fine. exactly what i needed.

Thanks a lot 🙂

Re: Time from a search

mariamathewtel — Thu, 25 Mar 2021 07:28:00 GMT

Hi @rnowitzki ,

This also works as required. 🙂

Thanks a lot for the help 🙂

Re: Time from a search

mariamathewtel — Thu, 25 Mar 2021 10:55:08 GMT

Hi @manjunathmeti , @rnowitzki , need one more help

query works well and m getting the correct duration.

here as you can see the duration is getting updated to the row when the Trend is 10(UP). i want it to be attached to the row where trend is 0(DOWN) so that i can display the downtime properly.

Like below

So that it can be displayed like below in a dashboard. (Only Downtime)

Re: Time from a search

rnowitzki — Thu, 25 Mar 2021 12:07:32 GMT

Hmm, so you basically want to switch the Status.
Could this be enough? Add it below your current SPL:

| eval status=if(status="DOWN", "UP", "DOWN")

Or you change the logic already when you assign either DOWN or UP.

After that you can filter to see only the DOWN ones with

| where status="DOWN"

Hope I got your requirement correct.

BR
Ralph

Re: Time from a search

manjunathmeti — Thu, 25 Mar 2021 13:31:20 GMT

hi @mariamathewtel,
You can use autoregress to move Duration values to one row up. Try this:

If this reply helps you, a like would be appreciated.