Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculate duration sum of consecutive events with other events in between.

smahoney
Path Finder
‎10-31-2023 10:23 AM

Haven't been able to find this, but I want to basically calculate up time percentage for a host based on 2 unique events.  One gets logged when something is bad, the other gets logged when everything is fine.  

An example would be to have a host log 10 minutes of "ok" events, then 4 minutes of "bad" events, then 18 minutes of "on" events, etc.

I need to out put the following based on the search range of the query.

Host | total_ok_duration | total_bad_duration | percentage_ok_duration

this need to be run and return for multiple hosts as well.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2023 02:41 PM

The problem is not well defined. If you simply want ratio of good vs. bad, stats count by state (good/bad) should be enough.

If you have events indicating start/stop of periods of good/bad state it's gonna be harder and you'll have to use streamstats.

0 Karma
Reply

smahoney
Path Finder
‎11-01-2023 06:51 AM

Its the second one, but no streamstats solution provided will work that I have seen.  lets say I have between 40 and 1000 events, any ratio can be good vs bad, with no correlation on how often each good vs bad occurs on a time basis and no set amount that occurs before a transition happens for each host.

That is the problem I have not seen anyone be able to solve.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-01-2023 08:49 AM

The typical approach to such case is to use streamstats to find last occurrence of different state than it is at given moment (using reset_on_change=t or reset_before/reset_after).

That's probably your only reasonable approach since you need to "carry over" information from some events into other ones and this (along with the autoregress) is the command to do so.

0 Karma
Reply

smahoney
Path Finder
‎10-31-2023 12:34 PM

The problem I am having is adding up all the consecutive durations of each "period" good and bad, when they occur in random lengths repeatedly throughout the time searched.

0 Karma
Reply

_JP
Contributor
‎10-31-2023 02:34 PM

While not the most efficient command in the book, perhaps the transaction command could be helpful because you can define the start/end events and it will calculate stuff like duration for you of the overall transaction.

Also, this discussion seemed to be similar to yours:

How to calculate uptime percentage based on my dat... - Splunk Community

0 Karma
Reply

smahoney
Path Finder
‎10-31-2023 02:37 PM

Unfortunately that wont work as there can be an unlimited number of consecutive strings of events between the 2 logged events and it needs to calculate the durations of each, which I haven't seen any solutions in the community successfully solve.

0 Karma
Reply

_JP
Contributor
‎10-31-2023 12:02 PM

It sounds like you will have to build an SPL query using the eventstats  command, or possibly the streamstats command.  Since I can't see your data I'm not sure what would be the best approach, but there is a slight difference between these two commands. 

 

Eventstats is like the stats command where it looks at all of your events matching found by your query, but it does not transform the stream, it just adds additional fields to every event. For example, you could count your up and bad events using eventstats by host.  Then, each event for that host would have the total counts on every event.  So if there were six up events, and seven bad events for a host, then each of those 13 events would have an up value of six and bad value of seven.

Alternatively, streamstats only looks at events in the stream up to and including the point where you are in the stream - it doesn't know about "future" events in the result set.  This is good for stuff like running average, but has other uses.  So in your case, the first up event would have a count of 1, the second up event a count of two, the first bad event a count of 1, and so on...the last up would have a count of six and the last bad a count of seven.

I know you mentioned duration...you can also add-up the time differences using these commands, too, by doing math on _time.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...