Dashboards & Visualizations

How to identity each Start - Stop

Imjusttesting
Explorer

Hey Guys, I've a series of data coming in from a black box via 30s interval. And it stop sending data if the machine is shut down and start sending in 30s interval when is on.

I need to display each Start - Stop event on Splunk. How can i do it?
alt text

E.g.
Start 15:56 - Stop 15:56
Start 15:52 - Stop 15:54

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

... | bucket _time span=30s | stats count AS numEventsIn30secs BY host _time | streamstats current=t count(eval(numEventsIn30secs>0)) AS outageIfNotIncreasing BY host | stats earliest(_time) AS start latest(_time) AS stopMinus30seconds BY outageIfNotIncreasing host | where start != stopMinus30seconds | eval stop = stopMinus30seconds + 30 | table start stop host

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try this:

... | bucket _time span=30s | stats count AS numEventsIn30secs BY host _time | streamstats current=t count(eval(numEventsIn30secs>0)) AS outageIfNotIncreasing BY host | stats earliest(_time) AS start latest(_time) AS stopMinus30seconds BY outageIfNotIncreasing host | where start != stopMinus30seconds | eval stop = stopMinus30seconds + 30 | table start stop host
0 Karma

somesoni2
Revered Legend

Give this a try

Your base search | streamstats current=f window=1 values(_time) as prev by host | eval diff=prev-_time | eval type=if(diff>30,"End","Start") | dedup type | transaction host startswith="type=Start" endswith="type=End" | eval Start=strftime(_time,"%Y-%m-%d %H:%M") | eval End=strftime(_time+duration,"%Y-%m-%d %H:%M") | table host Start End
0 Karma

Imjusttesting
Explorer

Hi Guys,

Anyone can help with the syntax provided by Somesoni2?
I need to set a rule, to identify the Start or Stop if the device is not sending any data for more than 30secs.

I'm kinda desperate here now .... Please help
source="gps_Testing.csv" sourcetype="csv" | sort 0 _time | table _time Time ID Lat Long Heading Speed | eval Time=_time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(_time) as prevtime by ID | eval diff=time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval Start_Time=strftime(prevtime,"%H:%M") | eval End_Time=strftime(time,"%H:%M") | rename prev* as Start* Lat as End_Lat Long as End_Long diff as Outage_Duration | table Date ID Start* End* Outage_Duration

0 Karma

Imjusttesting
Explorer

Hey Guys,

@somesoni2, provided this '
source="gps_Testing.csv" sourcetype="csv" | sort 0 time | table _time Time ID Lat Long Heading Speed | eval Time=_time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(_time) as prevtime by ID | eval diff=_time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong _time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval Start_Time=strftime(prevtime,"%H:%M") | eval End_Time=strftime(_time,"%H:%M") | rename prev* as Start* Lat as End_Lat Long as End_Long diff as Outage_Duration | table Date ID Start_* End_* Outage_Duration '

Which work fine, showing everything i needed but every single line is group within 1 mins, which is off as most of the duration is more than 1 mins. I can't seem to find the command that establish the rules to group the Start and Stop that ;
If the device stop transmitting for more than 30s, consider that as a Stop and the Next Incoming will be a New
Start

Can anyone help to improve this? appreciate a lot guys

0 Karma

Imjusttesting
Explorer

Thanks woodcock and somesoni2

@Woodcock, sorry for not mentioning about the Host but the latest string doesnt help and return the same error
@Somesoni2, thanks but that don't return any results.

Let me try to delete and upload the file again. Would you guys like the original file? I can email to both.

Many thanks

0 Karma

somesoni2
Revered Legend

I've replied to your email. Please check and let me know if that works.

0 Karma

Imjusttesting
Explorer

thanks. I've replied to your email, not too sure if u receive it.
I think there is a problem with my timestamp, i tried a few format but it doesnt work.
What/how did you transform your timestamp at the "timestamp format" ?

0 Karma

woodcock
Esteemed Legend

You do not transform the timestamp, you describe it. If what you describe matches what is in the data, then it works.

0 Karma

Imjusttesting
Explorer

i can't post a printscreen here to show it. Is there anyway i can show it to you so u can help me with the timestamp ?
The original file timestamp is showed as " dd/mm/yy hh:ss " within a single cell, i can't get splunk to recognize it.
What the right way to describe it?

0 Karma

woodcock
Esteemed Legend

Type in the results of this search:

Your base search | head 1 | table _time _raw
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...