We have a Jboss instance from which we index AccessLogs from, and we expect a fair amount of processes requests on this instance 24/7, I need to be able to calculate "downtime duration" based on the time when this instance does not process any requests, any ideas how to proceed?
Here's one way of approaching this. For a "fair amount of requests" we'll make an assumption that you should have at least one request per minute. So any minute that has 0 requests is a "down" minute. To compute the "downtime duration" we count the number of minutes with no requests.
sourcetype = access_combined | bucket span=1m _time | stats count as requests_per_minute by _time | where requests_per_minute = 0 | stats count as downtime_duration
Hey, I just bumped into some problem when with the search you helped out with before. the where requestsperminute = 0 does not work as expected, I think it´s because if the count is 0 it does not return any result, however if i do where requestsperminute = 1 it find every single minute where the count is 1.
I changed it to where requestsperminute < 10 and it founds every minute that has less then 10 events... except for the minutes that have a count = 0.
any ideas how to solve this? The most optimal would be if I could specify a