topic Re: system uptime calculation in Splunk Search

system uptime calculation

pprakash2 — Wed, 08 Feb 2017 09:34:22 GMT

I have a field uptime which is being forwarded from one of the server i want to monitor its uptime. This field has accumulated value of time in seconds. How do i calculate uptime of server in percentage given the date range.

Re: system uptime calculation

ehudb — Wed, 08 Feb 2017 23:17:25 GMT

It would help if you will post some examples to the uptime and date range fields

Re: system uptime calculation

pprakash2 — Thu, 09 Feb 2017 04:04:15 GMT

example splunk events below:

timestamp=15-01-2016 02:05:34.00, uptime=1231
timestamp=15-01-2016 04:07:22.00, uptime=2398
timestamp=16-01-2016 06:03:15.00, uptime=198792

if the servecr is restarted the uptime counter starts from 0. Based on these events, i need to calculate the % uptime , % downtime for the server. Could you please assist.

Re: system uptime calculation

pprakash2 — Thu, 09 Feb 2017 09:41:19 GMT

Thanks morley, this query works for events starting with uptime 0 to some value, if server restarts, uptime starts from 0. for this scenario, the uptime calculation doesn't workout!

[2017-02-09 04:53:27,006]: host="infor-gtnalpq-msa1-1" , uptime="327"
[2017-02-09 04:53:28,006]: host="infor-gtnalpq-msa1-1" , uptime="328"
[2017-02-09 04:53:29,006]: host="infor-gtnalpq-msa1-1" , uptime="329"
[2017-02-09 04:53:30,006]: host="infor-gtnalpq-msa1-1" , uptime="330"
[2017-02-09 04:53:34,006]: host="infor-gtnalpq-msa1-1" , uptime="0"
[2017-02-09 04:53:35,006]: host="infor-gtnalpq-msa1-1" , uptime="1"
[2017-02-09 04:53:36,006]: host="infor-gtnalpq-msa1-1" , uptime="2"
[2017-02-09 04:53:37,006]: host="infor-gtnalpq-msa1-1" , uptime="3"
[2017-02-09 04:53:38,006]: host="infor-gtnalpq-msa1-1" , uptime="4"

Re: system uptime calculation

ehudb — Thu, 09 Feb 2017 11:11:10 GMT

Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,

If the source looks like this:

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 



_time                 uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253

Then the following query will calculate the precentage of uptime and downtime

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 


|eval start=_time-uptime,end=_time |eval startc=start,endc=end  
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime

Result:

uptime  downtime
95.08   4.92

Re: system uptime calculation

pprakash2 — Thu, 23 Feb 2017 06:10:14 GMT

Thanks Ehud, this was helpful!