Re: Splunk query for UPtime and Downtime?

Inayath_khan · ‎06-03-2020

Hi Folks,

Can anyone please help in forming the query for internal splunk components up and downtime reporting, i found a similar but this gives only uptime,

richgalloway · ‎06-04-2020

As you've discovered, the REST interface only provides the startup time. You can, however, get both startup and shutdown times from splunkd.log. Start with index=_internal source=*splunkd.log* ("shutdown complete" OR "Splunkd starting"). This assumes your _internal index retains data long enough to keep the last startup and shutdown events.

---
If this reply helps you, Karma would be appreciated.

johnward4 · ‎06-28-2020

I've been trying to work with this same query to calculate the difference (_time of Action = "Splunkd Starting" minus _time of Action = "Splunkd Shutdown) to show downtime by host. Then sum the total downtime by host for the past 7 days. The end result I'm hoping for is to show percentage of UpTime by host past 7 days and also chart total percentage of uptime past 7 days for all hosts.

index=_internal source="*SplunkUniversalForwarder*\\splunkd.log" (event_message="*Splunkd starting*" OR event_message="*Shutting down splunkd*") | eval Action = case(like(event_message, "%Splunkd starting%"), "Splunkd Starting", like(event_message, "%Shutting down splunkd%"), "Splunkd Shutdown")

Splunk query for UPtime and Downtime?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM