Hey Guys, I've a series of data coming in from a black box via 30s interval. And it stop sending data if the machine is shut down and start sending in 30s interval when is on.
I need to display each Start - Stop event on Splunk. How can i do it?
E.g.
Start 15:56 - Stop 15:56
Start 15:52 - Stop 15:54
Try this:
... | bucket _time span=30s | stats count AS numEventsIn30secs BY host _time | streamstats current=t count(eval(numEventsIn30secs>0)) AS outageIfNotIncreasing BY host | stats earliest(_time) AS start latest(_time) AS stopMinus30seconds BY outageIfNotIncreasing host | where start != stopMinus30seconds | eval stop = stopMinus30seconds + 30 | table start stop host
Try this:
... | bucket _time span=30s | stats count AS numEventsIn30secs BY host _time | streamstats current=t count(eval(numEventsIn30secs>0)) AS outageIfNotIncreasing BY host | stats earliest(_time) AS start latest(_time) AS stopMinus30seconds BY outageIfNotIncreasing host | where start != stopMinus30seconds | eval stop = stopMinus30seconds + 30 | table start stop host
Give this a try
Your base search | streamstats current=f window=1 values(_time) as prev by host | eval diff=prev-_time | eval type=if(diff>30,"End","Start") | dedup type | transaction host startswith="type=Start" endswith="type=End" | eval Start=strftime(_time,"%Y-%m-%d %H:%M") | eval End=strftime(_time+duration,"%Y-%m-%d %H:%M") | table host Start End
Hi Guys,
Anyone can help with the syntax provided by Somesoni2?
I need to set a rule, to identify the Start or Stop if the device is not sending any data for more than 30secs.
I'm kinda desperate here now .... Please help
source="gps_Testing.csv" sourcetype="csv" | sort 0 _time | table _time Time ID Lat Long Heading Speed | eval Time=_time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(_time) as prevtime by ID | eval diff=time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval Start_Time=strftime(prevtime,"%H:%M") | eval End_Time=strftime(time,"%H:%M") | rename prev* as Start* Lat as End_Lat Long as End_Long diff as Outage_Duration | table Date ID Start* End* Outage_Duration
Hey Guys,
@somesoni2, provided this '
source="gps_Testing.csv" sourcetype="csv" | sort 0 time | table _time Time ID Lat Long Heading Speed | eval Time=_time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(_time) as prevtime by ID | eval diff=_time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong _time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval Start_Time=strftime(prevtime,"%H:%M") | eval End_Time=strftime(_time,"%H:%M") | rename prev* as Start* Lat as End_Lat Long as End_Long diff as Outage_Duration | table Date ID Start_* End_* Outage_Duration '
Which work fine, showing everything i needed but every single line is group within 1 mins, which is off as most of the duration is more than 1 mins. I can't seem to find the command that establish the rules to group the Start and Stop that ;
If the device stop transmitting for more than 30s, consider that as a Stop and the Next Incoming will be a New
Start
Can anyone help to improve this? appreciate a lot guys
Thanks woodcock and somesoni2
@Woodcock, sorry for not mentioning about the Host but the latest string doesnt help and return the same error
@Somesoni2, thanks but that don't return any results.
Let me try to delete and upload the file again. Would you guys like the original file? I can email to both.
Many thanks
I've replied to your email. Please check and let me know if that works.
thanks. I've replied to your email, not too sure if u receive it.
I think there is a problem with my timestamp, i tried a few format but it doesnt work.
What/how did you transform your timestamp at the "timestamp format" ?
You do not transform
the timestamp, you describe
it. If what you describe matches what is in the data, then it works.
i can't post a printscreen here to show it. Is there anyway i can show it to you so u can help me with the timestamp ?
The original file timestamp is showed as " dd/mm/yy hh:ss " within a single cell, i can't get splunk to recognize it.
What the right way to describe it?
Type in the results of this search:
Your base search | head 1 | table _time _raw