Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to compute host up times with a lookup table and importance value?

mikebarry
New Member
‎04-07-2016 06:26 AM

I have to take a logfile and extract certain fields to present as a percentage of availability ("UP" host_names).
I need to group two host_names with different suffixes, match if down for 5 minutes, then report as down.
Then I need to create a lookup table to match host_names as site_names to be listed on output and a "weighting" value of each site.

I have the following search: 

source="/home/splunk/nagios_temp/var/nagios.log" NGTC*P OR NGTC*S status_code="DOWN" OR "CRITICAL" OR "HARD" NOT OK NOT SOFT | dedup 1 host_name sortby -_time | transaction maxspan=5s maxpause=300s | lookup TCSiteXref.csv host_name OUTPUT site_name, site_weight, total_weight | search site_name=* | stats min(site_weight) as site_weight min(total_weight) as total_weight by site_name | eval availability=(total_weight/site_weight) | fields site_name, availability | sort by - availability

My results produce a table with site_name and "availability" as the metric of weighting, not percentages of all sites up. My logic is askew.

0 Karma
Reply

meenal901
Communicator
‎04-08-2016 02:06 AM

The percentage shouldn't be : availability=(site_weight/total_weight) ?
Try the top command after eval to get % automatically

0 Karma
Reply

mikebarry
New Member
‎04-08-2016 06:43 AM

Thanks for your answer. I have bee n playing with top for percentages. Percentages(is supposed to equal)=the value of weight. I did try | top site_name by availability_metric which produces a backwards percentage i.e. meaning the availability(metric) is a lower number with a high percentage and all are "counts" of one.

So to your point just doing the | top (availability) after the eval produces a correct percentage of availability but no site_names field - tried fields site_name to no avail

0 Karma
Reply

meenal901
Communicator
‎04-08-2016 07:11 AM

Can you post some sample data and expected output? Also include 1-2 rows from lookup.

0 Karma
Reply

mikebarry
New Member
‎04-08-2016 07:18 AM 
source="/home/splunk/nagios_temp/var/nagios.log" NGTC*P OR NGTC*S status_code="DOWN" OR "CRITICAL" OR "HARD" NOT OK NOT SOFT | dedup 1 host_name sortby -_time | transaction maxspan=5s maxpause=>300s | lookup TCSiteXref.csv host_name OUTPUT site_name, site_weight, total_weight | search site_name=* | stats min(site_weight) as site_weight min(total_weight) as total_weight by site_name | eval availability_metric=(total_weight/site_weight) | fields availability_metric, site_name | top availability_metric

availability_metric count percent
703.492374 3 33.333333
684.983196 1 11.111111
671.700154 1 11.111111
658.223864 1 11.111111
530.223672 1 11.111111
436.152859 1 11.111111
305.26611 1 11.111111

Want site_names (field) to the left. And after all that I will have to get an overall percentage (only equals 99.999999% I realize) to show in a panel. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...