Archive

How to identity each Start - Stop

Explorer

Hey Guys, I've a series of data coming in from a black box via 30s interval. And it stop sending data if the machine is shut down and start sending in 30s interval when is on.

I need to display each Start - Stop event on Splunk. How can i do it?
alt text

E.g.
Start 15:56 - Stop 15:56
Start 15:52 - Stop 15:54

0 Karma
1 Solution

Esteemed Legend

Try this:

... | bucket _time span=30s | stats count AS numEventsIn30secs BY host _time | streamstats current=t count(eval(numEventsIn30secs>0)) AS outageIfNotIncreasing BY host | stats earliest(_time) AS start latest(_time) AS stopMinus30seconds BY outageIfNotIncreasing host | where start != stopMinus30seconds | eval stop = stopMinus30seconds + 30 | table start stop host

View solution in original post

0 Karma

Esteemed Legend

Try this:

... | bucket _time span=30s | stats count AS numEventsIn30secs BY host _time | streamstats current=t count(eval(numEventsIn30secs>0)) AS outageIfNotIncreasing BY host | stats earliest(_time) AS start latest(_time) AS stopMinus30seconds BY outageIfNotIncreasing host | where start != stopMinus30seconds | eval stop = stopMinus30seconds + 30 | table start stop host

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Give this a try

Your base search | streamstats current=f window=1 values(_time) as prev by host | eval diff=prev-_time | eval type=if(diff>30,"End","Start") | dedup type | transaction host startswith="type=Start" endswith="type=End" | eval Start=strftime(_time,"%Y-%m-%d %H:%M") | eval End=strftime(_time+duration,"%Y-%m-%d %H:%M") | table host Start End
0 Karma

Explorer

Hi Guys,

Anyone can help with the syntax provided by Somesoni2?
I need to set a rule, to identify the Start or Stop if the device is not sending any data for more than 30secs.

I'm kinda desperate here now .... Please help
source="gpsTesting.csv" sourcetype="csv" | sort 0 _time | table _time Time ID Lat Long Heading Speed | eval Time=time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(time) as prevtime by ID | eval diff=time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval StartTime=strftime(prevtime,"%H:%M") | eval EndTime=strftime(time,"%H:%M") | rename prev* as Start* Lat as EndLat Long as EndLong diff as OutageDuration | table Date ID Start* End* Outage_Duration

0 Karma

Explorer

Hey Guys,

@somesoni2, provided this '
source="gpsTesting.csv" sourcetype="csv" | sort 0 _time | table _time Time ID Lat Long Heading Speed | eval Time=time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(time) as prevtime by ID | eval diff=time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval StartTime=strftime(prevtime,"%H:%M") | eval EndTime=strftime(time,"%H:%M") | rename prev* as Start* Lat as EndLat Long as EndLong diff as OutageDuration | table Date ID Start* End* Outage_Duration '

Which work fine, showing everything i needed but every single line is group within 1 mins, which is off as most of the duration is more than 1 mins. I can't seem to find the command that establish the rules to group the Start and Stop that ;
If the device stop transmitting for more than 30s, consider that as a Stop and the Next Incoming will be a New
Start

Can anyone help to improve this? appreciate a lot guys

0 Karma

Explorer

Thanks woodcock and somesoni2

@Woodcock, sorry for not mentioning about the Host but the latest string doesnt help and return the same error
@Somesoni2, thanks but that don't return any results.

Let me try to delete and upload the file again. Would you guys like the original file? I can email to both.

Many thanks

0 Karma

SplunkTrust
SplunkTrust

I've replied to your email. Please check and let me know if that works.

0 Karma

Explorer

thanks. I've replied to your email, not too sure if u receive it.
I think there is a problem with my timestamp, i tried a few format but it doesnt work.
What/how did you transform your timestamp at the "timestamp format" ?

0 Karma

Esteemed Legend

You do not transform the timestamp, you describe it. If what you describe matches what is in the data, then it works.

0 Karma

Explorer

i can't post a printscreen here to show it. Is there anyway i can show it to you so u can help me with the timestamp ?
The original file timestamp is showed as " dd/mm/yy hh:ss " within a single cell, i can't get splunk to recognize it.
What the right way to describe it?

0 Karma

Esteemed Legend

Type in the results of this search:

Your base search | head 1 | table _time _raw
0 Karma