Dashboards & Visualizations

How to identity each Start - Stop

Imjusttesting
Explorer

Hey Guys, I've a series of data coming in from a black box via 30s interval. And it stop sending data if the machine is shut down and start sending in 30s interval when is on.

I need to display each Start - Stop event on Splunk. How can i do it?
alt text

E.g.
Start 15:56 - Stop 15:56
Start 15:52 - Stop 15:54

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

... | bucket _time span=30s | stats count AS numEventsIn30secs BY host _time | streamstats current=t count(eval(numEventsIn30secs>0)) AS outageIfNotIncreasing BY host | stats earliest(_time) AS start latest(_time) AS stopMinus30seconds BY outageIfNotIncreasing host | where start != stopMinus30seconds | eval stop = stopMinus30seconds + 30 | table start stop host

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try this:

... | bucket _time span=30s | stats count AS numEventsIn30secs BY host _time | streamstats current=t count(eval(numEventsIn30secs>0)) AS outageIfNotIncreasing BY host | stats earliest(_time) AS start latest(_time) AS stopMinus30seconds BY outageIfNotIncreasing host | where start != stopMinus30seconds | eval stop = stopMinus30seconds + 30 | table start stop host
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

Your base search | streamstats current=f window=1 values(_time) as prev by host | eval diff=prev-_time | eval type=if(diff>30,"End","Start") | dedup type | transaction host startswith="type=Start" endswith="type=End" | eval Start=strftime(_time,"%Y-%m-%d %H:%M") | eval End=strftime(_time+duration,"%Y-%m-%d %H:%M") | table host Start End
0 Karma

Imjusttesting
Explorer

Hi Guys,

Anyone can help with the syntax provided by Somesoni2?
I need to set a rule, to identify the Start or Stop if the device is not sending any data for more than 30secs.

I'm kinda desperate here now .... Please help
source="gps_Testing.csv" sourcetype="csv" | sort 0 _time | table _time Time ID Lat Long Heading Speed | eval Time=_time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(_time) as prevtime by ID | eval diff=time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval Start_Time=strftime(prevtime,"%H:%M") | eval End_Time=strftime(time,"%H:%M") | rename prev* as Start* Lat as End_Lat Long as End_Long diff as Outage_Duration | table Date ID Start* End* Outage_Duration

0 Karma

Imjusttesting
Explorer

Hey Guys,

@somesoni2, provided this '
source="gps_Testing.csv" sourcetype="csv" | sort 0 time | table _time Time ID Lat Long Heading Speed | eval Time=_time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(_time) as prevtime by ID | eval diff=_time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong _time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval Start_Time=strftime(prevtime,"%H:%M") | eval End_Time=strftime(_time,"%H:%M") | rename prev* as Start* Lat as End_Lat Long as End_Long diff as Outage_Duration | table Date ID Start_* End_* Outage_Duration '

Which work fine, showing everything i needed but every single line is group within 1 mins, which is off as most of the duration is more than 1 mins. I can't seem to find the command that establish the rules to group the Start and Stop that ;
If the device stop transmitting for more than 30s, consider that as a Stop and the Next Incoming will be a New
Start

Can anyone help to improve this? appreciate a lot guys

0 Karma

Imjusttesting
Explorer

Thanks woodcock and somesoni2

@Woodcock, sorry for not mentioning about the Host but the latest string doesnt help and return the same error
@Somesoni2, thanks but that don't return any results.

Let me try to delete and upload the file again. Would you guys like the original file? I can email to both.

Many thanks

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I've replied to your email. Please check and let me know if that works.

0 Karma

Imjusttesting
Explorer

thanks. I've replied to your email, not too sure if u receive it.
I think there is a problem with my timestamp, i tried a few format but it doesnt work.
What/how did you transform your timestamp at the "timestamp format" ?

0 Karma

woodcock
Esteemed Legend

You do not transform the timestamp, you describe it. If what you describe matches what is in the data, then it works.

0 Karma

Imjusttesting
Explorer

i can't post a printscreen here to show it. Is there anyway i can show it to you so u can help me with the timestamp ?
The original file timestamp is showed as " dd/mm/yy hh:ss " within a single cell, i can't get splunk to recognize it.
What the right way to describe it?

0 Karma

woodcock
Esteemed Legend

Type in the results of this search:

Your base search | head 1 | table _time _raw
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...