Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I write a search that shows up and down status in bar graph for past 30 days by server?

splunker9999
Path Finder
‎02-03-2016 07:17 AM

Hi,

we need to create a dashboard which shows up and down status in bar graph for past 30 days by server

we are now thinking like below query lists us the number of times the server is down for past 30 days and from query below if the count is >0 then server is down ,else it is up.
from the above scenario how can we plot a bar graph? could some one please help.

index=_internal sourcetype=scheduler alert_actions!="" (down OR up) user=admin   savedsearch_id !="admin;search; Stage Silo A Down" AND savedsearch_id != "admin;search; Stage Silo B Down" AND savedsearch_id != "admin;search; Stage Silo C Down" AND savedsearch_id !="admin;search; Stage Silo D Down"| timechart span=1d count(savedsearch_id) by savedsearch_id|rename "admin;search; Prod Silo 1 is Down"  as "SILO1_Down", "admin;search; Prod Silo 2 is Down" as "SILO2_Down" ,"admin;search; Prod Silo 3 is Down" as SILO3_Down ,"admin;search; Prod Silo 4 is Down" as SILO4_Down

Query2:

We also need to create another dashboard "with the time the server went down" and "when it came back up" and "time it took to come up" for last 30 days.

This is also same for above query and server.

Can someone please help

0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎02-03-2016 12:56 PM

i've edited the title of your question to actually reflect what you're asking, as well as made it a question. when you post in the future, please do try to make your post title summarize the exact thing you're asking. this makes it easier for people to search and find what they need on Answers.

Reply

renjith_nair
Legend
‎02-03-2016 09:10 AM

Try something like 

your search |timechart span=1d count(savedsearch_id) by savedsearch_id|untable _time savedsearch_id count|eval status=if(count>0,"Down","Up")

Now you can chart it based on your requirement.

For query 2 , you can use transaction command 

your base search | transaction savedsearch_id "other common unique fields " |chart values(duration) over _time by savedsearch_id

OR

your base search | stats first(_time) as End,last(_time) as Start by savedsearch_id|eval diff=End-Last
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

splunker9999
Path Finder
‎02-03-2016 10:45 AM

Its not retrieving any results.

Just want to shorten the query to get more information:
index=_internal sourcetype=scheduler alert_actions!="" (down OR up) user=admin savedsearch_id="admin;search; Prod Silo 1 is Down" OR savedsearch_id= "admin;search; Prod Silo 1 is UP"
|chart count(savedsearch_id) by _time,savedsearch_id|rename "admin;search; Prod Silo 1 is Down" as "SILO1_Down", "admin;search;Prod Silo 1 is UP" as SILO1_UpTime
| convert ctime(_time)

We actually needs below information :
1.We need find difference between Downtime and Uptime: In the above example it went down at 18:06:02.299 and came up at 18:12:02.005( we need to find difference in minutes,here it is around 5 mins).

  1. we need to add two more fields difference , Percentage down time(difference we get from above/24*60) - Probably we can use eval command to do this

  2. The above query I have used for 30 days, it went down only one day(17 Jan), we need to create a dashboard such that it should show 100% up for remaining 29 days(except 17th Jan) and 17 th Jan it should show as 98% Up and 2% down

Reply

renjith_nair
Legend
‎02-03-2016 08:13 PM

Which search is not giving result (first or second)?

First search will be

 index=_internal sourcetype=scheduler alert_actions!="" (down OR up) user=admin   savedsearch_id !="admin;search; Stage Silo A Down" AND savedsearch_id != "admin;search; Stage Silo B Down" AND savedsearch_id != "admin;search; Stage Silo C Down" AND savedsearch_id !="admin;search; Stage Silo D Down"| timechart span=1d count(savedsearch_id) by savedsearch_id|untable _time savedsearch_id count|eval status=if(count>0,"Down","Up")

and then you do the charting based on your requirement

Second search : 

index=_internal sourcetype=scheduler alert_actions!="" (down OR up) user=admin   savedsearch_id !="admin;search; Stage Silo A Down" AND savedsearch_id != "admin;search; Stage Silo B Down" AND savedsearch_id != "admin;search; Stage Silo C Down" AND savedsearch_id !="admin;search; Stage Silo D Down"| transaction savedsearch_id

and see if your events for up and down are clubbed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...