Archive

## system uptime calculation

Explorer

I have a field uptime which is being forwarded from one of the server i want to monitor its uptime. This field has accumulated value of time in seconds. How do i calculate uptime of server in percentage given the date range.

Tags (1)
1 Solution
Contributor

Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,

If the source looks like this:

``````|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime

_time                 uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253
``````

Then the following query will calculate the precentage of uptime and downtime

``````|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime

|eval start=_time-uptime,end=_time |eval startc=start,endc=end
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime
``````

Result:

``````uptime  downtime
95.08   4.92
``````
Contributor

Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,

If the source looks like this:

``````|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime

_time                 uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253
``````

Then the following query will calculate the precentage of uptime and downtime

``````|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime

|eval start=_time-uptime,end=_time |eval startc=start,endc=end
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime
``````

Result:

``````uptime  downtime
95.08   4.92
``````
Explorer

Explorer

Thanks morley, this query works for events starting with uptime 0 to some value, if server restarts, uptime starts from 0. for this scenario, the uptime calculation doesn't workout!

[2017-02-09 04:53:27,006]: host="infor-gtnalpq-msa1-1" , uptime="327"
[2017-02-09 04:53:28,006]: host="infor-gtnalpq-msa1-1" , uptime="328"
[2017-02-09 04:53:29,006]: host="infor-gtnalpq-msa1-1" , uptime="329"
[2017-02-09 04:53:30,006]: host="infor-gtnalpq-msa1-1" , uptime="330"
[2017-02-09 04:53:34,006]: host="infor-gtnalpq-msa1-1" , uptime="0"
[2017-02-09 04:53:35,006]: host="infor-gtnalpq-msa1-1" , uptime="1"
[2017-02-09 04:53:36,006]: host="infor-gtnalpq-msa1-1" , uptime="2"
[2017-02-09 04:53:37,006]: host="infor-gtnalpq-msa1-1" , uptime="3"
[2017-02-09 04:53:38,006]: host="infor-gtnalpq-msa1-1" , uptime="4"

Explorer

example splunk events below:

timestamp=15-01-2016 02:05:34.00, uptime=1231
timestamp=15-01-2016 04:07:22.00, uptime=2398
timestamp=16-01-2016 06:03:15.00, uptime=198792

if the servecr is restarted the uptime counter starts from 0. Based on these events, i need to calculate the % uptime , % downtime for the server. Could you please assist.

Contributor

It would help if you will post some examples to the uptime and date range fields

State of Splunk Careers