Dashboards & Visualizations

How to check if date is current date and calculate elapsed seconds since midnight in an eval?

bsg273
Path Finder

I have a query that calculates the daily availability percentages of a given service for a set of hosts and is used to create a multi-series line chart in a Splunk dashboard.  My ps.sh is running every 1800 seconds (30 minutes) on my Splunk forwarders, so I assume that it has run a total of 48 times on any given day to calculate the availability in an eval.  The problem is that on the current date, the ps.sh hasn't run all 48 times yet, so I can't get a valid calculation for the current date.  However, if I was able to check if the date in question was the current date, then calculate the number of seconds that have elapsed since the nearest midnight, I could divide that figure by 1800 to figure out the total number of times ps.sh would've run so far that day (hopefully I'm not overcomplicating this).  To illustrate, here's my query with the pseudo-code of desired logic in it using rhnsd as an example process:

 

index=os host="my-db-*" sourcetype=ps rhnsd 
| timechart span=1d count by host 
| untable _time host count
| addinfo
| eval availability=if(<date is current date>,count/floor((info_max_time-<nearest midnight time>)/1800)*100,if(count>=48,100,count/48*100)) 
| rename _time as Date host as Host availability as Availability 
| fieldformat Date = strftime(Date, "%m/%d/%Y") 
| xyseries Date Host Availability

 

Any help I could get with completing the above eval would be greatly appreciated, or if I'm overcomplicating this, any alternative methodologies would be more than welcome.

Labels (4)
Tags (2)
0 Karma
1 Solution

bsg273
Path Finder

This is the solution I ended up going with.  It simplifies my original logic a bit and also makes the graphs a bit easier to read by displaying hostname only instead of the fqdn.

index=os host="my-db-*" sourcetype=ps rhnsd
| timechart span=1d count by host
| untable _time host count
| addinfo
| eval psRunCount=if(strftime(_time,"%m/%d/%Y")=strftime(info_max_time,"%m/%d/%Y"),floor((info_max_time-relative_time(info_max_time,"@d"))/1800),floor(86400/1800)), availability=if(count&gt;=psRunCount,100,round(count/psRunCount*100,2)), host=mvindex(split(host,"."),0)
| rename _time as Date host as Host availability as Availability
| fieldformat Date=strftime(Date,"%m/%d")
| xyseries Date Host Availability

 

View solution in original post

bsg273
Path Finder

This is the solution I ended up going with.  It simplifies my original logic a bit and also makes the graphs a bit easier to read by displaying hostname only instead of the fqdn.

index=os host="my-db-*" sourcetype=ps rhnsd
| timechart span=1d count by host
| untable _time host count
| addinfo
| eval psRunCount=if(strftime(_time,"%m/%d/%Y")=strftime(info_max_time,"%m/%d/%Y"),floor((info_max_time-relative_time(info_max_time,"@d"))/1800),floor(86400/1800)), availability=if(count&gt;=psRunCount,100,round(count/psRunCount*100,2)), host=mvindex(split(host,"."),0)
| rename _time as Date host as Host availability as Availability
| fieldformat Date=strftime(Date,"%m/%d")
| xyseries Date Host Availability

 

somesoni2
Revered Legend

Give this a try

index=os host="my-db-*" sourcetype=ps rhnsd 
| timechart span=1d count by host 
| untable _time host count
| addinfo
| eval availability=if(strftime(_time,"%F")=strftime(now(),"%F"),count/floor(now()-relative_time(now(),"@d"))/1800)*100,if(count>=48,100,count/48*100)) 
| rename _time as Date host as Host availability as Availability 
| fieldformat Date = strftime(Date, "%m/%d/%Y") 
| xyseries Date Host Availability

 

0 Karma

bsg273
Path Finder

It's telling me there's an error in the eval command.  I'll post the solution I ended up going with.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To find the lapsed time since midnight, substract midnight ("@d") from the event time (_time).

| eval secsSinceMidnight = _time - relative_time(_time, "@d")

 

---
If this reply helps you, an upvote would be appreciated.
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...