Archive

Find time between groups of events

Engager

So we log an event every hour which will either contain a true or a false. True when we are up and running ok, and false when we are down/not running at full capacity. I've been asked to use this data to track downtime for each of our sites. So for example we might have 12 events that read 'True' surrounded by many 'False' on either side of it, and then days later have a 'pocket' of events that read true again. I'm quite new to Splunk so please excuse any ignorance.

I'm looking for total amount of up time vs down time as well as the individual time for each 'pocket' of events that read true. Is this possible in any capacity to do in Splunk?

Many thanks!

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

View solution in original post

Splunk Employee
Splunk Employee

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

View solution in original post

Splunk Employee
Splunk Employee

I just fixed a missing closing parentesis in the rex command.

0 Karma

Engager

Great thanks for the help. I'm having trouble setting the rex command. What exactly do I need to plug into it for it to go through?

0 Karma