Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to generate a timechart for servers showing the uptime and downtime within a span of 5 minutes?

idab
Path Finder
‎09-09-2015 12:32 PM

Hi everyone,

My goal is to create a drop-down that shows the uptime and downtime of a server.
The SPL I have isn't coming out well as planned. I want it to be possible to show the time the server went down and the time it came back up on the chart. Can someone help me?
This is all I have so far.

index=perfmon collection=System counter="System up Time"  sourcetype="Perfmon:System"   state_to=* | transaction Uptime startswith=(state_to=Up) endswith=(state_to=Down)
0 Karma
Reply

woodcock
Esteemed Legend
‎09-09-2015 05:03 PM

Try this:

index=perfmon collection=System counter="System up Time" sourcetype="Perfmon:System" state_to=* | streamstats current=f last(_time) AS nextTime by host | eval nextTime=coalesce(nextTime, now()) | eval secondsInThisState = nextTime - _time

This is your base search and I believe that you are looking to do something further like appending this:

... | eval upSeconds=if(like(_raw, "%state_to=Up%"), secondsInThisState, null()) | eval downSeconds=if(isnull(upSeconds), secondsInThisState, null()) | stats list(upSeconds) list(downSeconds) by host
0 Karma
Reply

woodcock
Esteemed Legend
‎09-09-2015 08:06 PM

Does the first half look correct when run by itself?

0 Karma
Reply

idab
Path Finder
‎09-10-2015 09:32 AM

So, the first half gave no result found. But, when I took out the state_to=* it gave some event data., with no timechart .

0 Karma
Reply

woodcock
Esteemed Legend
‎09-10-2015 10:07 AM

I got the state_to=* part from you in your question! My solution does not have timechart so you are not making sense. Does the first half generate events where each has a field called secondsInThisState whose values are sensible?

0 Karma
Reply

idab
Path Finder
‎09-09-2015 05:38 PM

So, I used the SPL this way appending the second row - using a server host that we just restarted as a test.But, there were no values displayed for the list(upseconds) .Couldn't see any chart either.I was thinking the search would display the uptime and downtime period for a host machine.
Need help!

index=perfmon host="hostName" collection=System counter="System up Time" sourcetype="Perfmon:System" | streamstats current=f last(_time) AS nextTime by host | eval nextTime=coalesce(nextTime, now()) | eval secondsInThisState = nextTime - _time | eval upSeconds=if(like(_raw, "%state_to=Up%"), secondsInThisState, null()) | eval downSeconds=if(isnull(upSeconds), secondsInThisState, null()) | stats list(upSeconds) list(downSeconds) by host

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...