Solved: Search for Server Uptime for last 24hrs

splunker9999 · ‎02-15-2016

Hi ,

We are looking for a search for server uptime and downtime.

Server is up from last 20days, and results will be retireved only if we select 20days from timepicker,

We are looking a search for below scenarios.

1.but we are looking for 24hrs period where if the search has not retireved any results during this period then it can say the status as UP.
2.If it retrieves any results during that period, then it should verify status and displays the result.

Will this be possible?

Below is our sample search we are using which could display lastuptime and current status.(this we needs to select timepicker for 20days)

index=f5 Server1 monitor status | head 1 | eval status=if(F5_TCPStatus="up",10,0) | stats sum(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

renjith_nair · ‎02-15-2016

Try

|stats count |eval dummy=10|appendcols [search index=f5 Server1 monitor status | head 1 
|eval tmpstatus=if(F5_TCPStatus="up",10,0)|fields tmpstatus]
|eval status=coalesce(tmpstatus,dummy)
|stats sum(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

Happy Splunking!

View solution in original post

Richfez · ‎02-15-2016

Do you happen to have a list of what servers you actually have already? Or will we need to help you generate that?

renjith_nair · ‎02-15-2016

Try

|stats count |eval dummy=10|appendcols [search index=f5 Server1 monitor status | head 1 
|eval tmpstatus=if(F5_TCPStatus="up",10,0)|fields tmpstatus]
|eval status=coalesce(tmpstatus,dummy)
|stats sum(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

Happy Splunking!

splunker9999 · ‎02-15-2016

This seems to be working, Thank you very much 🙂

richgalloway · ‎02-15-2016

Try this. It sets F5_TCPStatus to "up" if it is not found in an event.

index=f5 Server1 monitor status | head 1 | fillnull value="up" F5_TCPStatus | eval status=if(F5_TCPStatus="up",10,0) | stats sum(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

---
If this reply helps you, Karma would be appreciated.

splunker9999 · ‎02-16-2016

HI, Thanks.

Just for Confirmation, If we have count =1 and status as down/up ,does this query retrieves the result from F5_TCPStatus?

splunker9999 · ‎02-16-2016

Thank you very much @richgalloway, this search works good and liked it much!!

splunker9999 · ‎02-15-2016

Still this search displaying "no results found" if we select for last 24 hrs.

richgalloway · ‎02-15-2016

If your search returns no events at all then fillnull won't help. Try this instead.

index=f5 Server1 monitor status | head 1 | fillnull value="up" F5_TCPStatus | eval status=if(F5_TCPStatus="up",10,0) | appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats sum(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

---
If this reply helps you, Karma would be appreciated.

splunker9999 · ‎02-16-2016

Hi,

Thanks , Just for confirmation as we dont have sample data to test this.
What happens if we have count =1 and F5_TCPStatus=down/up , this query will display the value in F5_TCPStatus?

Thanks
Sarath

Search for Server Uptime for last 24hrs

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor