Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate downtime based on the amount of requests an application server processes?

Norling80
Path Finder
‎06-01-2015 07:08 AM

Hi guys. I want to be able to calculate downtime based on the amount of requests that an Application server processes. The downtime is calculated based on the following rules.

  1. Choose a time-span 30 min before and 30 min after the actual downtime.
  2. Calculate the average amount of events based on the top 20 results i.e the 20 minutes with the most amount of processed requests.
  3. Cassify all events as downtime that has 80% or below of the average described in step 2 above.

Below is an example of the result I want to calculate downtime on:

alt text

Tags (2)
Preview file
1 KB
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-13-2015 08:15 PM

Here is my method to get the top 80% count, using the percentile top 80% counts, and qualify every minute as up or downtime based on this value.

index=_internal source=*web* req_time =*
|  bucket _time span=1m | stats count by _time
| eventstats perc80(count) AS maxperc80 
| eval status=if(count < maxperc80, "down", "up")

You probably want to add some sort of count of consecutive durations and exclude the outliers
Then do the sum of the "down" minutes.

| stats count by status
0 Karma
Reply

Archana21
New Member
‎06-22-2015 04:23 AM

...|top 20 status| stats avg(count)

0 Karma
Reply

Norling80
Path Finder
‎06-22-2015 01:57 AM

hi, one more things. how do we add step number 2 above to the search where we take the average of the top 20 results.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-08-2015 06:50 AM

I know this is not what you are asking but, based on your example which shows an obvious 100% (full vs. partial) outage, why would you not use something like this:

... | streamstats current=f  latest(_time) AS prevEventTime latest(_raw) AS prevEvent | eval downtime = _time - _prevEventTime | where downtime > 100
0 Karma
Reply

Norling80
Path Finder
‎06-08-2015 07:09 AM

Thanks for your input. I have something similar in-place already, however point number 2 above is an important part of the search to be able to calculate the downtime in a proper way.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...