Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use streamstats to calculate device availability

vasud
New Member
‎10-13-2017 11:46 AM

I have some device logs and am trying to determine the outage (downtime) duration. 
Problem I have here is that events are being constantly thrown and I have difficulty capturing the right one to determine the downtime

            FIRSTOCCURRENCE                LASTOCCURRENCE                         SUMMARY
1          2016-10-12 16:11:17              2016-10-12 16:11:17               Interface Down:                              
3          2016-11-06 01:59:14              2016-11-06 01:59:14               Interface Down:              
4          2016-11-06 01:59:14              2016-11-06 01:59:14               Interface Down:               
5          2016-11-06 02:00:01              2016-11-06 02:00:01               Interface Up:     
6          2016-11-06 02:00:01              2016-11-06 02:00:01               Interface Up:     
7         2016-11-08 00:56:09               2016-11-08 00:56:09               Interface Down:               
8         2016-11-08 00:56:09               2016-11-08 00:56:09               Interface Down:  
10         2016-11-08 00:56:09               2016-11-08 00:56:09               Interface Down: 
11         2016-11-08 00:56:55               2016-11-08 00:56:55               Interface Up: 
12         2016-11-08 00:56:55               2016-11-08 00:56:55               Interface Up: 
13         2016-11-08 01:05:55               2016-11-08 01:05:55               Interface Up: 

Difference between The FIRSTOCCURRENCE of the First "Interface Down" and the FIRSTOCCURRENCE of the First "Interface up" is the Total Outage Hours
According to the Example above  :  outage 1 (2016-10-12 16:11:17 - 2016-11-06 02:00:01)  outage 2 (2016-11-08 00:56:09  - 2016-11-08 00:56:55) 

Currently am using transaction command. But it takes the whole outage as outage hours i.e. outage_hours is 2016-10-12 16:11:17 - 2016-11-08 01:05:55

basic search | transaction HOSTNAME, startswith=(SUMMARY="Interface Down:") endswith=(SUMMARY="Interface Up:") keeporphans=true keepevicted=true maxspan=28d

Any suggestions is appreciated !

0 Karma
Reply

jfraiberg
Communicator
‎10-13-2017 01:50 PM

any chance you can adjust the logs to also add the name of the actual interface as a field? You could then try "| transaction hostname interface startswith..."

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...