Solved: Calculate time delta

JiachengWei · ‎05-25-2021

Hi Guys,

I'd like to calculate the time delta. Here is the sample:

_time _raw

2021-5-26 00:00:00 port is down

2021-5-26 00:02:20 port is up

2021-5-26 00:05:00 port is down

2021-5-26 00:10:05 port is up

May I know how to calculate each downtime and sort by '_time' ? Thanks.

What I'd like to see:

_time downtime

2021-5-26 00:00:00 02:20

2021-5-26 00:05:00 05:05

kamlesh_vaghela · ‎05-26-2021

@JiachengWei

Can you please try this?

YOUR_SEARCH
| rex field=_raw "port is (?<status>.*)"
| transaction startswith=(status="not operational") endswith=(status="operational")
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time

My Sample Search :

| makeresults 
| eval _raw="time    raw 
2021-5-26T00:00:00  port is not operational
2021-5-26T00:02:20  port is operational
2021-5-26T00:05:00  port is not operational
2021-5-26T00:10:05  port is operational" 
| multikv forceheader=1 
| eval _time=strptime(time,"%Y-%m-%dT%H:%M:%S"), _raw=raw 
| sort - _time
| rex field=_raw "port is (?<status>.*)"
| transaction startswith=(status="not operational") endswith=(status="operational")
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎05-25-2021

@JiachengWei

Can you please try this?

YOUR_SEARCH
| rex field=_raw "port is (?<status>\w*)"
| transaction startswith="down" endswith="up"
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time

My Sample Code:

| makeresults 
| eval _raw="time    raw 
2021-5-26T00:00:00  port is down
2021-5-26T00:02:20  port is up
2021-5-26T00:05:00  port is down
2021-5-26T00:10:05  port is up" 
| multikv forceheader=1 
| eval _time=strptime(time,"%Y-%m-%dT%H:%M:%S"), _raw=raw 
| sort - _time
| rex field=_raw "port is (?<status>\w*)"
| transaction startswith="down" endswith="up"
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

JiachengWei · ‎05-25-2021

Excellent! Appreciate!

Just a more quick question:

How to fill startswith and endswith for below sample:

time raw

2021-5-26T00:00:00 port is not operational

2021-5-26T00:02:20 port is operational

2021-5-26T00:05:00 port is not operational

2021-5-26T00:10:05 port is operational

ITWhisperer · ‎05-25-2021

startswith="not operational" endswith="is operational"

JiachengWei · ‎05-25-2021

I have tried that previously. Not working...

kamlesh_vaghela · ‎05-26-2021

@JiachengWei

Can you please try this?

YOUR_SEARCH
| rex field=_raw "port is (?<status>.*)"
| transaction startswith=(status="not operational") endswith=(status="operational")
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time

My Sample Search :

| makeresults 
| eval _raw="time    raw 
2021-5-26T00:00:00  port is not operational
2021-5-26T00:02:20  port is operational
2021-5-26T00:05:00  port is not operational
2021-5-26T00:10:05  port is operational" 
| multikv forceheader=1 
| eval _time=strptime(time,"%Y-%m-%dT%H:%M:%S"), _raw=raw 
| sort - _time
| rex field=_raw "port is (?<status>.*)"
| transaction startswith=(status="not operational") endswith=(status="operational")
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Calculate time delta

eval

timechart

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake