https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207462#M60488 <P>Not sure I get the picture of what your final output should look like. Could you please provide your expected output, in tabular form may be, that you need (for the sum of total of failures)?</P> <P>Following suggestion is with some assumptions, give this a try</P> <P><STRONG>Updated</STRONG><BR /> Fixed eval command and adjusted to expected output.</P> <PRE><CODE> source=*** (service=*** OR service=***) | bucket span=m _time | stats count values(result) AS partResult by _time service | eval finalResult=if(isnotnull(mvfilter(match(partResult,"fail"))),1,0) | timechart span=m sum(finalResult) as Failures BY service | filldown | untable _time service failures | stats dc(_time) as TotalMinutes sum(failures) as TotalFailures by service | eval Availability=100- round(TotalFailures*100/TotalMinutes,2) </CODE></PRE> Fri, 23 Sep 2016 16:03:36 GMT somesoni2 2016-09-23T16:03:36Z https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207461#M60487 <P>I'm looking into creating equal availability across the board for different applications that are all being tested by the same tool.<BR /> Because the tool that tests availability can be set to different intervals and can have multiple tests running against the same service, I need to normalise the data so the calculation can take into account different services and the tests beneath them.</P> <P>The flow of my idea is this:<BR /> 1. Break the search time period down into minute buckets (shortest interval time)<BR /> 2. Fill in empty buckets with the contents of the previous bucket<BR /> 3. Any buckets with multiple events need to be singled down to one result, if there is at least 1 fail in there then the bucket is a fail.<BR /> 4. calculate the availability for multiple services</P> <P>So far I have:</P> <PRE><CODE>source=*** (service=*** OR service=***) | bucket span=m _time | stats values(result) AS partResult by _time service | eval finalResult=if(partResult="fail","fail",partResult) | timechart span=m count(eval(finalResult="fail")) as Failures BY service | filldown </CODE></PRE> <P>Now this gives me whether the service is up or down at a specific minute and so it wouldn't matter if there are different run intervals.</P> <P>The problem I have is that I cannot sum the total of failures for the time period so I can calculate a percentage against the time period selected.</P> <P>The reason I have used Timechart is because it was the only way I knew of how to get every minute as a bucket in the selected time period.</P> Fri, 23 Sep 2016 14:16:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207461#M60487 MattLingwood 2016-09-23T14:16:55Z https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207462#M60488 <P>Not sure I get the picture of what your final output should look like. Could you please provide your expected output, in tabular form may be, that you need (for the sum of total of failures)?</P> <P>Following suggestion is with some assumptions, give this a try</P> <P><STRONG>Updated</STRONG><BR /> Fixed eval command and adjusted to expected output.</P> <PRE><CODE> source=*** (service=*** OR service=***) | bucket span=m _time | stats count values(result) AS partResult by _time service | eval finalResult=if(isnotnull(mvfilter(match(partResult,"fail"))),1,0) | timechart span=m sum(finalResult) as Failures BY service | filldown | untable _time service failures | stats dc(_time) as TotalMinutes sum(failures) as TotalFailures by service | eval Availability=100- round(TotalFailures*100/TotalMinutes,2) </CODE></PRE> Fri, 23 Sep 2016 16:03:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207462#M60488 somesoni2 2016-09-23T16:03:36Z https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207463#M60489 <P>UPDATE:<BR /> Output should look like:<BR /> ServiceA, 100%<BR /> ServiceB, 99.92%<BR /> ServiceC, 100%</P> Fri, 23 Sep 2016 16:35:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207463#M60489 MattLingwood 2016-09-23T16:35:50Z https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207464#M60490 <P>So trying this, I get an error with the if statement.</P> <P>I need to be able to calculate availability of 1 or more services separately. So that ServiceA is completely different to ServiceB as seen in my update comment.</P> <P>My algorithm to work it out was 100 - ( ( totalMinuteFailuresPerService / searchPeriodInMinutes ) * 100 ) </P> Fri, 23 Sep 2016 16:40:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207464#M60490 MattLingwood 2016-09-23T16:40:00Z https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207465#M60491 <P>Try the updated answer</P> Fri, 23 Sep 2016 16:57:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207465#M60491 somesoni2 2016-09-23T16:57:16Z https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207466#M60492 <P>This is a great solution! Thank you for your help</P> Mon, 26 Sep 2016 10:17:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207466#M60492 MattLingwood 2016-09-26T10:17:55Z https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207467#M60493 <P>One addition I would add to this is: How can I manipulate the data so it would show it on a day by day basis see example.</P> <P>Day ServiceA ServiceB<BR /> 19/09 100% 100%<BR /> 20/09 100% 100%<BR /> 21/09 100% 100%<BR /> 22/09 99.95% 100%</P> <P>The main time range this will be done in is "Previous Week"</P> Mon, 26 Sep 2016 14:16:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207467#M60493 MattLingwood 2016-09-26T14:16:43Z https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207468#M60494 <P>Try like this</P> <PRE><CODE>source=*** (service=*** OR service=***) | bucket span=m _time | stats count values(result) AS partResult by _time service | eval finalResult=if(isnotnull(mvfilter(match(partResult,"fail"))),1,0) | timechart span=m sum(finalResult) as Failures BY service | filldown | untable _time service failures | eval day=strftime(_time,"%m/%d/%Y") | stats dc(_time) as TotalMinutes sum(failures) as TotalFailures by day service | eval Availability=100- round(TotalFailures*100/TotalMinutes,2) | chart values(Availability) over day by service </CODE></PRE> Mon, 26 Sep 2016 15:18:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207468#M60494 somesoni2 2016-09-26T15:18:24Z https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207469#M60495 <P>That's perfect, Thank you again!</P> Mon, 26 Sep 2016 15:45:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-modify-my-search-to-calculate-availability-of-multiple/m-p/207469#M60495 MattLingwood 2016-09-26T15:45:41Z