Finding the duration of time spent in two differen...

vbhadra · ‎10-21-2021

Hi

I am working in a system which looks for DFS (Dynamic Frequency Selection) channels. The search starts with the following event:

CAC_STARTED.

If if find a DFS channel then the search ends with CAC_COMPLETED and stays in DFS channel. If there is a radar detected, then the search ends with CAC_STOPPED and the system switches to non-DFS channel. Later the system again searches for DFS channel with CAC_STARTED and the patter follows.

I am trying to calculate the time spent on DFS and non-channels in a day.

Can someone please help me with the queries. I tried the following:

index=* mac="0cf9c0fef6fe" ("ACI_CAC_COMPLETED")
| sort _time
| stats max(_time) as maxtime min(_time) as mintime
| eval maxt=strftime(maxtime,"%d:%H:%M:%S")
| eval mint=strftime(mintime,"%d:%H:%M:%S")

This gives me the total time spend on DFS channel BUT only if the system has never switched to non-DFS channel, ie., the ACI_CAC_STOPPED event never appeared in the whole span. How do I check if there was a ACI_CAC_STOPPED event in between an calculate the dfs and non-dfs time spent durations? Please advise.

vbhadra · ‎10-21-2021

Sorry I realised the query I have pasted is also wrong, I wanted to paste the below instaed:

index=* mac="783e535cf278" ("ACI_CAC_COMPLETED")
| stats max(_time) as maxtime min(_time) as mintime
| eval difference=maxtime-mintime
| eval difference=strftime(difference,"%d:%H:%M:%S")

Sorry for the mess, this is my first time here, so please bear with me :).

vbhadra · ‎10-21-2021

clarify CAC_COMPLETED and ACI_CAC_COMPLETED are same, all the events are prefixed with ACI_. Sorry for the cofusion.

Finding the duration of time spent in two different states of the system

HTTP Event Collector

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!