Hi,

Can you please help me in getting the below field values.

Given the limited amount of data you provided, it is not possible to determine how such information would be derived.

Can you provide some more accurate (anonymised) events?

Can you explain how you want to calculate these fields?

I am able to fetch the below information of servers status:

By using Add-on, I am checking server status by pinging every 5min interval and validate the server name in look up and updating the server Status.

Now i need to take report of servers Down time and Availability%:

Ex.: 

Availability = (uptime during the period / total time) × 100
e.g. lets consider the report period of 1 week which is 168 hour ( consider 24*7 calculation)

For example, if any server was down for 3 hours in this period of 24 hours then the availability of this server would be
165/168*100 = 98.21%
Uptime in this example would be 165 hours ( 6 days 21 hours)Calculation of downtime is the based on the time spent by the server in a status is consider as down or 0%
So here downtime would be 3 hours.

based on _time, _raw and status received=1 or received=0, I need to calculate Down time and Server Availability in %. I was able to calculate the server Availability in % as shown in above msg code.
below table last checked is nothing but the last ping time.

So, using streamstats as you have shown to get the previous event data for the dest, you could calculate the downtime as the difference in previous event time and current event time only if the previous event is a down event. Then you can sum the downtimes for each dest to give you the overall downtime for each dest. You then work out the total period for each dest covered by your search and subtract the total downtime for the dest to give you the total uptime, from which you can calculate the percentage availability.

I understood what you had explained. It will be helpful if you write that in sample query. My sample code. but downtime is not calculated.

index=network
| streamstats sparkline(avg(avg_ping)) as sparkline_ping avg(avg_ping) as ping max(max_ping) as max_ping latest(packet_loss) as packet_loss latest(_time) as last_checked range(avg_ping) as range min(avg_ping) as min by dest current=f
| search
| eval ping=round(ping, 0)." ms"
| eval average=round(avg_ping, 0)." ms"
| eval maximum=round(max_ping, 0)." ms"
| eval range=round(min, 0)." - ".round(min+range, 0)." ms"
| eval packet_loss=if(max_ping="NA",100,packet_loss)
| table dest packet_loss last_checked ping max_ping range sparkline_ping
| `timesince(last_checked,last_checked)`
| sort -ping
| lookup server_detail "Asset CI" as dest OUTPUTNEW "RDP IP" "Environment Specification" Category "Operating System"
| eval Status = case(packet_loss = "100","Down",packet_loss = "0","Up")
| eval Availability= case(packet_loss = "100",100,packet_loss = "0",0)
| stats avg(Availability) by dest
| sort +avg(Availability)