https://community.splunk.com/t5/Splunk-Search/searching-events-for-quot-was-down-for-quot-and-averaging-the/m-p/677829#M231776 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263723">@jyates76</a>,</P><P>you have to extract the down duratio and then run a simple search:</P><LI-CODE lang="markup">index=your_index "was down for" | rex "was\s+down\s+for\s+(?&lt;hours&gt;\d+)hr:(?&lt;minutes&gt;\d+)min:(?&lt;seconds&gt;\d+)sec" | eval duration=hours*3600+minutes*60+seconds | timechart perc90(duration) BY host</LI-CODE><P>You can test the regex at&nbsp;<A href="https://regex101.com/r/75pRcf/1" target="_blank">https://regex101.com/r/75pRcf/1</A></P><P>then you can use other functions or aggregations.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 16 Feb 2024 17:16:19 GMT gcusello 2024-02-16T17:16:19Z https://community.splunk.com/t5/Splunk-Search/searching-events-for-quot-was-down-for-quot-and-averaging-the/m-p/677795#M231765 <P>I have events like the below that are saying when a particular pool member was out of rotation for a particular period of time.&nbsp; What would be an ideal search would be to match all events that have the "was down for" and then the length of time and simply average that, and take the 95th percentile of that duration.&nbsp; &nbsp;Probably more difficult than it seems and I'm not sure how to approach it.</P><DIV class=""><DIV class="">&lt;<SPAN class="">133</SPAN>&gt;<SPAN class="">Feb</SPAN> <SPAN class="">13</SPAN> <SPAN class="">13:01:33</SPAN> <SPAN class="">slot2/US66666-CORE-LTM1.company.COM</SPAN> <SPAN class="">notice</SPAN> <SPAN class="">mcpd</SPAN>[<SPAN class="">8701</SPAN>]<SPAN class="">:</SPAN> <SPAN class="">01070727:5:</SPAN> <SPAN class="">Pool</SPAN> <SPAN class="">/Common/pool-generic</SPAN>&nbsp;<SPAN class="">member</SPAN> <SPAN class="">/Common/servernamew006:8080</SPAN> <SPAN class="">monitor</SPAN> <SPAN class="">status</SPAN> <SPAN class="">up.</SPAN> [ <SPAN class="">/Common/mon-xxx-prod-xxx-liveness:</SPAN> <SPAN class="">up</SPAN> ] <STRONG>[ <SPAN class="">was</SPAN> <SPAN class="">down</SPAN> <SPAN class="">for</SPAN> <SPAN class="">0hr:0min:15sec</SPAN> ]</STRONG></DIV></DIV><DIV class=""><UL class=""><LI><SPAN class="">host =</SPAN><SPAN> <SPAN class=""><A class="" title="/var/log/HOSTS/us6645ny-core-ltm1.paychex.com/us6645ny-core-ltm1.paychex.com-syslog.log" href="https://splunk.paychex.com/en-US/app/SHO/search?earliest=1707843600.000&amp;latest=1707847200&amp;q=search%20index%3Df5_prod%20Monitor_Status%3D%22monitor%20status%20up%22%20f5_pool_member%20IN%20(*caappr*ui*%2C%20*caappr*bt*%2C%20*caappr*rp*)%20f5_pool_monitor%20IN%20(%2FCommon%2Fmon-pay*-prod-wdc-liveness%2C%20%2FCommon%2Fmon-pay*-prod-hdc-liveness)%20%20%20%20%7C%20rex%20field%3D_raw%20%22%3E(%3F%3Calert_time%3E.%2B)%20slot%22%20%20%20%20%20%7C%20eval%20_time%3Dstrptime(alert_time%2C%20%22%25b%20%25d%20%25H%3A%25M%3A%25S%22)%20%20%20%20%20%7C%20eval%20date_hour%3Dstrftime(_time%2C%22%25H%22)%20%20%20%20%7C%20eval%20day_of_week%20%3D%20strftime(_time%2C%22%25A%22)%20%20%20%20%7C%20eval%20date_wday%20%3D%20strftime(_time%2C%20%22%25w%22)%20%20%20%20%7C%20sort%20-%20_time%20%20%20%7C%20search%20date_hour%3E%3D7%20date_hour%3C%3D17%20date_wday%3E%3D1%20date_wday%3C%3D5%20%20%20%20%7C%20rex%20field%3Df5_pool_monitor%20%22(%3F%3Cpaycluster%3Epay.%2B%5B0-9%5D).%2B(%3F%3Cdatacenter%3E%5Bhw%5Ddc)%22%20%20%20%20%7C%20search%20paycluster%3Dpay06%20%7C%20dedup%20_raw&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1708084649.2017262_28F65100-3C82-4CB7-8F25-B612CCC1B240#" target="_blank" rel="noopener">US66666</A>-</SPAN></SPAN><SPAN class=""><A class="" title="us6645ny-core-ltm1.paychex.com" href="https://splunk.paychex.com/en-US/app/SHO/search?earliest=1707843600.000&amp;latest=1707847200&amp;q=search%20index%3Df5_prod%20Monitor_Status%3D%22monitor%20status%20up%22%20f5_pool_member%20IN%20(*caappr*ui*%2C%20*caappr*bt*%2C%20*caappr*rp*)%20f5_pool_monitor%20IN%20(%2FCommon%2Fmon-pay*-prod-wdc-liveness%2C%20%2FCommon%2Fmon-pay*-prod-hdc-liveness)%20%20%20%20%7C%20rex%20field%3D_raw%20%22%3E(%3F%3Calert_time%3E.%2B)%20slot%22%20%20%20%20%20%7C%20eval%20_time%3Dstrptime(alert_time%2C%20%22%25b%20%25d%20%25H%3A%25M%3A%25S%22)%20%20%20%20%20%7C%20eval%20date_hour%3Dstrftime(_time%2C%22%25H%22)%20%20%20%20%7C%20eval%20day_of_week%20%3D%20strftime(_time%2C%22%25A%22)%20%20%20%20%7C%20eval%20date_wday%20%3D%20strftime(_time%2C%20%22%25w%22)%20%20%20%20%7C%20sort%20-%20_time%20%20%20%7C%20search%20date_hour%3E%3D7%20date_hour%3C%3D17%20date_wday%3E%3D1%20date_wday%3C%3D5%20%20%20%20%7C%20rex%20field%3Df5_pool_monitor%20%22(%3F%3Cpaycluster%3Epay.%2B%5B0-9%5D).%2B(%3F%3Cdatacenter%3E%5Bhw%5Ddc)%22%20%20%20%20%7C%20search%20paycluster%3Dpay06%20%7C%20dedup%20_raw&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1708084649.2017262_28F65100-3C82-4CB7-8F25-B612CCC1B240#" target="_blank" rel="noopener">core-ltm1.company.com</A></SPAN></LI><LI><SPAN class="">source =</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><A class="" title="/var/log/HOSTS/us6645ny-core-ltm1.paychex.com/us6645ny-core-ltm1.paychex.com-syslog.log" href="https://splunk.paychex.com/en-US/app/SHO/search?earliest=1707843600.000&amp;latest=1707847200&amp;q=search%20index%3Df5_prod%20Monitor_Status%3D%22monitor%20status%20up%22%20f5_pool_member%20IN%20(*caappr*ui*%2C%20*caappr*bt*%2C%20*caappr*rp*)%20f5_pool_monitor%20IN%20(%2FCommon%2Fmon-pay*-prod-wdc-liveness%2C%20%2FCommon%2Fmon-pay*-prod-hdc-liveness)%20%20%20%20%7C%20rex%20field%3D_raw%20%22%3E(%3F%3Calert_time%3E.%2B)%20slot%22%20%20%20%20%20%7C%20eval%20_time%3Dstrptime(alert_time%2C%20%22%25b%20%25d%20%25H%3A%25M%3A%25S%22)%20%20%20%20%20%7C%20eval%20date_hour%3Dstrftime(_time%2C%22%25H%22)%20%20%20%20%7C%20eval%20day_of_week%20%3D%20strftime(_time%2C%22%25A%22)%20%20%20%20%7C%20eval%20date_wday%20%3D%20strftime(_time%2C%20%22%25w%22)%20%20%20%20%7C%20sort%20-%20_time%20%20%20%7C%20search%20date_hour%3E%3D7%20date_hour%3C%3D17%20date_wday%3E%3D1%20date_wday%3C%3D5%20%20%20%20%7C%20rex%20field%3Df5_pool_monitor%20%22(%3F%3Cpaycluster%3Epay.%2B%5B0-9%5D).%2B(%3F%3Cdatacenter%3E%5Bhw%5Ddc)%22%20%20%20%20%7C%20search%20paycluster%3Dpay06%20%7C%20dedup%20_raw&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1708084649.2017262_28F65100-3C82-4CB7-8F25-B612CCC1B240#" target="_blank" rel="noopener">/var/log/HOSTS/US66666-core-ltm1.company.com/xxx.xxx.com-syslog.log</A></SPAN></LI><LI><SPAN class="">sourcetype =</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><A class="" title="syslog_alb" href="https://splunk.paychex.com/en-US/app/SHO/search?earliest=1707843600.000&amp;latest=1707847200&amp;q=search%20index%3Df5_prod%20Monitor_Status%3D%22monitor%20status%20up%22%20f5_pool_member%20IN%20(*caappr*ui*%2C%20*caappr*bt*%2C%20*caappr*rp*)%20f5_pool_monitor%20IN%20(%2FCommon%2Fmon-pay*-prod-wdc-liveness%2C%20%2FCommon%2Fmon-pay*-prod-hdc-liveness)%20%20%20%20%7C%20rex%20field%3D_raw%20%22%3E(%3F%3Calert_time%3E.%2B)%20slot%22%20%20%20%20%20%7C%20eval%20_time%3Dstrptime(alert_time%2C%20%22%25b%20%25d%20%25H%3A%25M%3A%25S%22)%20%20%20%20%20%7C%20eval%20date_hour%3Dstrftime(_time%2C%22%25H%22)%20%20%20%20%7C%20eval%20day_of_week%20%3D%20strftime(_time%2C%22%25A%22)%20%20%20%20%7C%20eval%20date_wday%20%3D%20strftime(_time%2C%20%22%25w%22)%20%20%20%20%7C%20sort%20-%20_time%20%20%20%7C%20search%20date_hour%3E%3D7%20date_hour%3C%3D17%20date_wday%3E%3D1%20date_wday%3C%3D5%20%20%20%20%7C%20rex%20field%3Df5_pool_monitor%20%22(%3F%3Cpaycluster%3Epay.%2B%5B0-9%5D).%2B(%3F%3Cdatacenter%3E%5Bhw%5Ddc)%22%20%20%20%20%7C%20search%20paycluster%3Dpay06%20%7C%20dedup%20_raw&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1708084649.2017262_28F65100-3C82-4CB7-8F25-B612CCC1B240#" target="_blank" rel="noopener">syslog_alb</A></SPAN></LI></UL></DIV> Fri, 16 Feb 2024 12:44:45 GMT https://community.splunk.com/t5/Splunk-Search/searching-events-for-quot-was-down-for-quot-and-averaging-the/m-p/677795#M231765 jyates76 2024-02-16T12:44:45Z https://community.splunk.com/t5/Splunk-Search/searching-events-for-quot-was-down-for-quot-and-averaging-the/m-p/677829#M231776 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263723">@jyates76</a>,</P><P>you have to extract the down duratio and then run a simple search:</P><LI-CODE lang="markup">index=your_index "was down for" | rex "was\s+down\s+for\s+(?&lt;hours&gt;\d+)hr:(?&lt;minutes&gt;\d+)min:(?&lt;seconds&gt;\d+)sec" | eval duration=hours*3600+minutes*60+seconds | timechart perc90(duration) BY host</LI-CODE><P>You can test the regex at&nbsp;<A href="https://regex101.com/r/75pRcf/1" target="_blank">https://regex101.com/r/75pRcf/1</A></P><P>then you can use other functions or aggregations.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 16 Feb 2024 17:16:19 GMT https://community.splunk.com/t5/Splunk-Search/searching-events-for-quot-was-down-for-quot-and-averaging-the/m-p/677829#M231776 gcusello 2024-02-16T17:16:19Z