Graphing windows system from uptime to downtime

matthewhaswell · ‎07-03-2014

I have a query that provides windows startup, ending and duration - however I was looking for a way to graph this?

The query is:

SourceName=EventLog EventCode=6005 OR EventCode=6006 | transaction host startswith=6005 endswith=6006

I'm looking for a graphical representation of when the small number of PC's are switched on until they are switched off.

Any ideas?

Matt

martin_mueller · ‎07-03-2014

I'm not quite sure what you're looking for in a graph, but here's a stab in the dark:

SourceName=EventLog EventCode=6005 OR EventCode=6006 | eval upordown = if(EventCode=6005, -1, 1)
| streamstats sum(upordown) as pcCount | timechart avg(pcCount)

This basically treats each event as either a +1 or a -1, and tots up the running total before charting it. Experiment with sorting the data either way before the streamstats, depending on what you want to see you'll get weird-looking results one way or the other.

Another way to approach this is using transaction | concurrency:

SourceName=EventLog EventCode=6005 OR EventCode=6006 | transaction host startswith=6005 endswith=6006
| concurrency duration = duration | timechart avg(concurrency) as pcCount

Try both and see what you like more.

Graphing windows system from uptime to downtime

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!