Solved: Showing/counting event that there's not

fabrizioalleva · ‎05-24-2024

Hi all,

we've a procedure that's writes index only where there's a KO:

So I've a sequence of events like these:

DATE,RESPONSE

2024/05/24 11:04:00,1

2024/05/24 11:05:00,1

2024/05/24 11:06:00,1

2024/05/24 11:08:00,1

2024/05/24 11:09:00,1

2024/05/24 11:10:00,1

2024/05/24 11:11:00,1

2024/05/24 11:13:00,1

2024/05/24 11:14:00,1

As you can se between

2024/05/24 11:06:00 and 2024/05/24 11:08:00

and

2024/05/24 11:11:00 2024/05/24 11:12:00 , there's no a KO

What we want do is to produce a full output like this:

2024/05/24 11:04:00,1

2024/05/24 11:05:00,1

2024/05/24 11:06:00,1

2024/05/24 11:07:00,0

2024/05/24 11:08:00,1

2024/05/24 11:09:00,1

2024/05/24 11:10:00,1

2024/05/24 11:11:00,1

2024/05/24 11:12:00,0

2024/05/24 11:13:00,1

2024/05/24 11:14:00,1

In order to highlight the service's up/down. I've tried with a lot of method but I cannot obtain a similiar result.

Any suggestion ?

Thanks Fabrizio

gcusello · ‎05-24-2024

Hi @fabrizioalleva ,

if you need to send an alert, you could run a search like the following every 5 minutes:

index=myindex eariest=-5m@m latest=@m
| stats count BY APP
| where count<5

instead in a dashboard panel, you can use timechart.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎05-24-2024

Hi @fabrizioalleva,

I suppose that you already extracted the field with the status=1.

In this case you could run

<your_search>
| timechart span=1m count BY status

Ciao.

Giuseppe

fabrizioalleva · ‎05-24-2024

Thanks,

@gcusello, I already tried with time chart, but if I've a lot of application which work in this way, I'm not able to work with timechart, also because if I wanto to work with data after timechart I cannot.

Maybe better so:

DATE,APP

2024/05/24 11:04:00, APPA

2024/05/24 11:05:00,APPB

2024/05/24 11:06:00,APPA

2024/05/24 11:08:00,APPB

2024/05/24 11:09:00,APPA

2024/05/24 11:10:00,APPB

2024/05/24 11:11:00,APPA

2024/05/24 11:13:00,APPB

2024/05/24 11:14:00,APPA

So I've to highlight this condition of "flapping" in 10 minutes. If The app is present, it means that it's not respondig.

index=myindex
| timechart span=1m by APP

produces:

_time, APPA, APPB

And what I want to produce

_time, APPA, APPB

2024/05/24 11:04:00, 1,0

2024/05/24 11:05:00, 0,1

2024/05/24 11:06:00, 1,0

2024/05/24 11:07:00,0,0

2024/05/24 11:08:00, 0,1

2024/05/24 11:09:00, 1,0

2024/05/24 11:10:00, 0,1

2024/05/24 11:11:00, 1,0

2024/05/24 11:12:00,0,0

2024/05/24 11:13:00, 0,1

2024/05/24 11:14:00, 1,0

But I want to work with this output in order to send alert to other application.

Thanks

gcusello · ‎05-24-2024

Hi @fabrizioalleva ,

if you need to send an alert, you could run a search like the following every 5 minutes:

index=myindex eariest=-5m@m latest=@m
| stats count BY APP
| where count<5

instead in a dashboard panel, you can use timechart.

Ciao.

Giuseppe

gcusello · ‎05-24-2024

Hi @fabrizioalleva ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Showing/counting event that there's not

stats

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Showing/counting event that there's not

stats

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...