Splunk Search
Highlighted

How to edit my search to compute host up times with a lookup table and importance value?

New Member

I have to take a logfile and extract certain fields to present as a percentage of availability ("UP" hostnames).
I need to group two host
names with different suffixes, match if down for 5 minutes, then report as down.
Then I need to create a lookup table to match hostnames as sitenames to be listed on output and a "weighting" value of each site.

I have the following search:

source="/home/splunk/nagios_temp/var/nagios.log" NGTC*P OR NGTC*S status_code="DOWN" OR "CRITICAL" OR "HARD" NOT OK NOT SOFT | dedup 1 host_name sortby -_time | transaction maxspan=5s maxpause=300s | lookup TCSiteXref.csv host_name OUTPUT site_name, site_weight, total_weight | search site_name=* | stats min(site_weight) as site_weight min(total_weight) as total_weight by site_name | eval availability=(total_weight/site_weight) | fields site_name, availability | sort by - availability

My results produce a table with site_name and "availability" as the metric of weighting, not percentages of all sites up. My logic is askew.

0 Karma
Highlighted

Re: How to edit my search to compute host up times with a lookup table and importance value?

Communicator

The percentage shouldn't be : availability=(siteweight/totalweight) ?
Try the top command after eval to get % automatically

0 Karma
Highlighted

Re: How to edit my search to compute host up times with a lookup table and importance value?

New Member

Thanks for your answer. I have bee n playing with top for percentages. Percentages(is supposed to equal)=the value of weight. I did try | top sitename by availabilitymetric which produces a backwards percentage i.e. meaning the availability(metric) is a lower number with a high percentage and all are "counts" of one.

So to your point just doing the | top (availability) after the eval produces a correct percentage of availability but no sitenames field - tried fields sitename to no avail

0 Karma
Highlighted

Re: How to edit my search to compute host up times with a lookup table and importance value?

Communicator

Can you post some sample data and expected output? Also include 1-2 rows from lookup.

0 Karma
Highlighted

Re: How to edit my search to compute host up times with a lookup table and importance value?

New Member
source="/home/splunk/nagios_temp/var/nagios.log" NGTC*P OR NGTC*S status_code="DOWN" OR "CRITICAL" OR "HARD" NOT OK NOT SOFT | dedup 1 host_name sortby -_time | transaction maxspan=5s maxpause=>300s | lookup TCSiteXref.csv host_name OUTPUT site_name, site_weight, total_weight | search site_name=* | stats min(site_weight) as site_weight min(total_weight) as total_weight by site_name | eval availability_metric=(total_weight/site_weight) | fields availability_metric, site_name | top availability_metric

availability_metric count percent
703.492374 3 33.333333
684.983196 1 11.111111
671.700154 1 11.111111
658.223864 1 11.111111
530.223672 1 11.111111
436.152859 1 11.111111
305.26611 1 11.111111

Want site_names (field) to the left. And after all that I will have to get an overall percentage (only equals 99.999999% I realize) to show in a panel. Thanks

0 Karma