Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Measure availablity in during certain hours during the day

JYTTEJ
Communicator
‎02-06-2012 02:04 AM

Hi I have created following search to measure availability per day (24 hours)

host=xxxxxp*   | delta _time AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval timeDelta=tostring(timeDeltaS,"duration")|where timeDeltaS >15 |RENAME timeDeltaS as Sec_unavailable   |APPEND [SEARCH host=xxxxxp*  PRJ=PRJABC| eval Sec_unavailable=0 ]|bucket _time span=1d |stats  sum(Sec_unavailable)  by _time| RENAME sum(Sec_unavailable) as sec_unavail |eval avail=86400-sec_unavail|eval AvailPct = round((avail/86400)*100,2)|timechart span=1d sum(AvailPct)|RENAME sum(AvailPct) as "Avail.Pct"

This calculates availabilty % per day round((avail/86400)*100,2)

Now I want to calculate the availability within the service hours (07 to 19 GMT) per day.
I know how to select the service hours (date_hour >07 AND date_hour <19) - and I have changed the 86400 (24 hours) seconds to 46800 (=13 hours) - but I am getting negative availabilty...

I believe this is due to the *bucket _time span=1d* - but I am very most lost as to which bucket command I should use?

Tags (1)
0 Karma
Reply

Ayn
Legend
‎02-06-2012 02:07 AM

Well without having had a closer look at your search, if your search that spans 1 day is to be changed into a search that spans 12 hours, then the bucket command should likely be changed accordingly. So: bucket _time span=12h

0 Karma
Reply

JYTTEJ
Communicator
‎02-06-2012 03:32 AM

I found the reason why I was getting a negative value. this is because the search calculates the difference in time between 20:00 to 07:00 - how do I avoid that?
I only want to calculate any difference in time between 07:00 to 20:00 - how do I accomplish that?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...