Creating mean time to repair out of ping output script

heybails88 — Thu, 07 Jun 2018 16:52:20 GMT

Hi all,

I know there's probably a simple answer, but being relatively new to Splunk, I'm still trying to get my head around the logic. I want to create a dashboard panel that shows the "mean time to repair" using a log time stamp built off a ping script I've developed. So it would calculate the total number of "down" outputs and then when it becomes available, use the "pingtime" to show the MTTR. How do I do that using the "eval"? Or is eval the wrong way? Here's the events that I'm looking at.

6/6/18
8:26:48.000 AM

20180606082648 IP address is available

NID =   <nodename>  
pingtime =  20180606082648  
status =    available

6/6/18
8:21:56.000 AM

20180606082156 IP address is down or not reachable

NID =   <nodename>  
pingtime =  20180606082156  
status =    down

Re: Creating mean time to repair out of ping output script

heybails88 — Tue, 29 Sep 2020 20:08:56 GMT

With a lot of painstaking work, this is what we've come up with:
index=nid_availability NIDIP= "chosen IP address from dropdown field2"
| rename NIDIP as IP
|lookup nidnodes.csv IP
| transaction NID startswith="up_or_down=down" endswith="up_or_down=available"
| stats avg(duration) as avg_outage by NID
| eval MTTR=tostring(avg_outage, "duration")
| table NID MTTR

The "up_or_down" is an extract from the output of the ping script.

topic Creating mean time to repair out of ping output script in Splunk Search

Creating mean time to repair out of ping output script

Re: Creating mean time to repair out of ping output script