Re: Evaluate multiple events with same data.

biec1 · ‎04-21-2017

I would like to count the number of times a Server went down based on up/down status field.
How can i evaluate multiple(continuous) down into one down status, when i am receiving events every five minutes?
Multiple(continuous) down for one host should be treated as one down.

Time| Server |Status
3:00 AM Host1 up
3:00 PM Host2 down
3:05 PM Host1 up
3:10 PM Host1 up
3:15 PM Host1 down
3:15 PM Host2 up
3:20 PM Host1 up
3:25 PM Host1 down
3:30 PM Host1 up
3:35 PM Host1 up
3:40 PM Host1 down
3:45 PM Host1 down

richgalloway · ‎04-21-2017

Use the dedup command.

... | dedup Server Status | ...

---
If this reply helps you, Karma would be appreciated.

biec1 · ‎04-21-2017

How can this help me to get the number of the times the server went down in a week?

index=index_names source="rest://" (server="host1" OR server="host2")
| stats latest(_time) as Time values(server_state) as status by server _time
| dedup server status

richgalloway · ‎04-21-2017

Your question was how to evaluate multiple instances of a status value to a single instance. The dedup command does exactly that.
That doesn't tell you how many times a server went down, just the last time the status changed to Up or Down.

---
If this reply helps you, Karma would be appreciated.

biec1 · ‎04-21-2017

I would like to retrieve the number of times a server went down.

Evaluate multiple events with same data.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms