Sorry for the newbie question. We want to calculate percentage of time between 2 events over the entire search period. We use transaction and get the sum of time between each pair of events:
| transaction dest service startswith="CRITICAL;SOFT;1" endswith=OK | stats sum(duration) as total_downtime by dest
But we've no idea how to pass the earliest(time) and latest(time) of so that we can do the calculation like
percentage = (total_downtime/(latest-earliest))*100
Would anyone please help?
Thanks a lot.
try something like this:
your_search | transaction dest service startswith="CRITICAL;SOFT;1" endswith=OK | stats earliest(_time) AS Earliest latest(_time) AS Latest sum(duration) as total_downtime by dest | eval percentage = (total_downtime/(Latest-Earliest))*100
Thanks. Seems this returns time period of transaction. Can I get the time span for "your_search" ? It's Nagios log and logs status of all hosts. Some are okay and some have down/up status change. We hope to get the percentage of downtime of each host (period betwen down/up) over the entire period.
In this way you have the first and the latest events of your results.
to have earliest and latest you should follow this answer:
transaction; try this:
... | search OK OR "CRITICAL;SOFT;1" | streamstats count(eval(searchmatch("CRITICAL;SOFT;1"))) AS sessionID BY dest service | stats range(_time) AS duration by dest service sessionID | stats sum(duration) as total_downtime by dest | addinfo | percentDown = 100 * (total_downtime)/(info_max_time - info_min_time)