I need to find how many machines in a store have b...

swatTC · ‎07-30-2018

There are more than 600+ store each having 50+ machines. The query i used is

storeNo="*" | table machineId,storeId,_time | sort 0 machineId,_time | streamstats window=1 current=f global=f values(_time) as next_seq by machineId | eval diff = tostring(_time - next_seq,"duration") | eval days=if(match(diff,"\+"),replace(diff,"(\d+)(\+.*)","\1"),0)

It works fine with 1 or 2 stores. However the problem occurs when i run it across all stores. The final result tends to leave out some information/values from the final table. I suspect a memory issue but not sure.

I am a month old to Splunk and learning. Can you help me out here by suggesting any alternative method like iteration/looping or any methods where i can consume less memory.

somesoni2 · ‎07-30-2018

Give this a try

storeNo="*" | table machineId,storeId,_time | streamstats window=1 current=f global=f values(_time) as next_seq by machineId | eval diff = abs(_time - next_seq) | eval days=floor(diff/86400)

swatTC · ‎07-31-2018

The above query is not working. Thank you anyways. My issue is , my posted query works fine with a single store but fails when i run it across all stores.

thambisetty · ‎07-30-2018

Whats the logic to identify server is offline or online?

————————————
If this helps, give a like below.

swatTC · ‎07-31-2018

The timestamp between successive logs received for each machine in a store. I need to do a difference between these two time and find if it is greater than say 30 days, indicating the machine has been offline for that period.

I need to find how many machines in a store have been offline more than 30 days over a 7 month time frame.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life