Splunk Search

How to edit my search to compute host up times with a lookup table and importance value?

mikebarry
New Member

I have to take a logfile and extract certain fields to present as a percentage of availability ("UP" host_names).
I need to group two host_names with different suffixes, match if down for 5 minutes, then report as down.
Then I need to create a lookup table to match host_names as site_names to be listed on output and a "weighting" value of each site.

I have the following search:

source="/home/splunk/nagios_temp/var/nagios.log" NGTC*P OR NGTC*S status_code="DOWN" OR "CRITICAL" OR "HARD" NOT OK NOT SOFT | dedup 1 host_name sortby -_time | transaction maxspan=5s maxpause=300s | lookup TCSiteXref.csv host_name OUTPUT site_name, site_weight, total_weight | search site_name=* | stats min(site_weight) as site_weight min(total_weight) as total_weight by site_name | eval availability=(total_weight/site_weight) | fields site_name, availability | sort by - availability

My results produce a table with site_name and "availability" as the metric of weighting, not percentages of all sites up. My logic is askew.

0 Karma

meenal901
Communicator

The percentage shouldn't be : availability=(site_weight/total_weight) ?
Try the top command after eval to get % automatically

0 Karma

mikebarry
New Member

Thanks for your answer. I have bee n playing with top for percentages. Percentages(is supposed to equal)=the value of weight. I did try | top site_name by availability_metric which produces a backwards percentage i.e. meaning the availability(metric) is a lower number with a high percentage and all are "counts" of one.

So to your point just doing the | top (availability) after the eval produces a correct percentage of availability but no site_names field - tried fields site_name to no avail

0 Karma

meenal901
Communicator

Can you post some sample data and expected output? Also include 1-2 rows from lookup.

0 Karma

mikebarry
New Member
source="/home/splunk/nagios_temp/var/nagios.log" NGTC*P OR NGTC*S status_code="DOWN" OR "CRITICAL" OR "HARD" NOT OK NOT SOFT | dedup 1 host_name sortby -_time | transaction maxspan=5s maxpause=>300s | lookup TCSiteXref.csv host_name OUTPUT site_name, site_weight, total_weight | search site_name=* | stats min(site_weight) as site_weight min(total_weight) as total_weight by site_name | eval availability_metric=(total_weight/site_weight) | fields availability_metric, site_name | top availability_metric

availability_metric count percent
703.492374 3 33.333333
684.983196 1 11.111111
671.700154 1 11.111111
658.223864 1 11.111111
530.223672 1 11.111111
436.152859 1 11.111111
305.26611 1 11.111111

Want site_names (field) to the left. And after all that I will have to get an overall percentage (only equals 99.999999% I realize) to show in a panel. Thanks

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...