I have recently started indexing a private log generated from a Hostmon URL check. The Hostmon check runs during M-F business hours and returns the following basic log information :
[9/8/2016 10:48:55 AM] sitename.com Host is alive 18 ms URL request 27061
I've added the extracted fields for 'site', 'state' 'response_time', 'test_type' 'bytes' but now I want to build reporting around the data and am not very experienced using charting searches with Splunk. The 'state' field will return data that is simplistic as 'Host is alive', 'Host is down', or 'Out of schedule'.
Can someone help me understand how to pipe in a
timechart avg of the 'state' field values so I can add it to a scheduled report for how often my site was available?
Example of a search that I was trying is:
index=main host=* sourcetype=Hostmon site=* state=* | timechart span=1d avg(state) as Site_Availability
For testing purposes I added a 'host is down' entry in the log but my pie chart is showing three data groups on the virtualization :
Host is alive, Host is alive, and other
I'm looking for the chart to show basically 99% host is alive and for that one entry that is Host is down shouldn't it show a sliver for that 1%?
Hi @jward6004 - If your original question has been answered, don't forget to resolve the original post by clicking "Accept" below the answer. Also, be sure to upvote any comments by @sundareshr and @dbcase that you found helpful.
That goes back to sundareshr's earlier answer
index=main host=* sourcetype=Hostmon site=* state=* | bin span=1h _time | stats count by _time state | timechart span=1d avg(count) as Site_Availability by state
change the span=1h to span=1w for 1week or span=1m for 1month or span=1y for 1year
Thank you dbcase! I'm trying to get a total number of tests or sum.. and then divide total tests by total success (host is alive) and total failures (host is down) using EVAL.
This the current query I'm using for the past week of test data
index=main host=* sourcetype=Hostmon site=* state=* | stats count by _time state | timechart span=1w count as Site_Availability by state
This bar graph is showing total tests of either 'host is alive' or 'host is down' for the past week but I'm trying to display a more granular output of the data.
Here's a screengrab for my panels now.
It's showing the number of times that the event showed 'host is alive' and 'host is down' but I don't really care to display the number of tests in my graph. I'd like to create two new fields using EVAL for the expected values of the field 'state' then use the graph to report on those new fields
Still not quite understanding but.....
I think you would need eventstats to get your totals
or possibly accum...
sorry for the vagueness, I'm still not getting quite what you are looking for.