Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Find time between groups of events

Jesterhead
Engager
‎11-05-2012 04:25 PM

So we log an event every hour which will either contain a true or a false. True when we are up and running ok, and false when we are down/not running at full capacity. I've been asked to use this data to track downtime for each of our sites. So for example we might have 12 events that read 'True' surrounded by many 'False' on either side of it, and then days later have a 'pocket' of events that read true again. I'm quite new to Splunk so please excuse any ignorance.

I'm looking for total amount of up time vs down time as well as the individual time for each 'pocket' of events that read true. Is this possible in any capacity to do in Splunk?

Many thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2012 10:40 PM

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2012 10:40 PM

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎11-06-2012 10:48 AM

I just fixed a missing closing parentesis in the rex command.

0 Karma
Reply
Solved! Jump to solution

Jesterhead
Engager
‎11-06-2012 10:36 AM

Great thanks for the help. I'm having trouble setting the rex command. What exactly do I need to plug into it for it to go through?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...