Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time from a search

mariamathewtel
Explorer
‎03-23-2021 04:43 AM

Hi All,

I have a query like below.

index="abc" host=xxx 
| eval Indicator=if(state=="RUNNING", "10", "0")
| timechart span=5min min(Indicator) as "Trend"

and it will give me results like below. 

mariamathewtel_0-1616499504492.png

I am trying to get the time(_time) value when there is a change in the value of Trend happens.

eg myTime = 2021-03-18 16:55:00    (When trend changes from 10 to 0)

      myTime = 2021-03-18 17:25:00     (When trend changes from 0 to 10)

 

Can someone please help me do it. Would really appreciate if someone can help with the difference between these times also. 

myTime = 2021-03-18 16:55:00    

myTime = 2021-03-18 17:25:00     Difference = 30 minutes

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-24-2021 04:48 AM

hi @mariamathewtel,

You can use the delta command to identify the event where the Trend value is changed and also to calculate the duration. Try this,

index="abc" host=xxx 
| eval Indicator=if(state=="RUNNING", "10", "0")
| timechart span=5min min(Indicator) as "Trend
| delta Trend as diff 
| where diff!=0 
| delta _time AS Duration
| eval Duration=tostring(abs(Duration), "duration")

 

If this reply helps you, an upvote/like would be appreciated.

 

View solution in original post

Reply
Solved! Jump to solution

rnowitzki
Builder
‎03-25-2021 05:07 AM

Hmm, so you basically want to switch the Status.
Could this be enough? Add it below your current SPL:

| eval status=if(status="DOWN", "UP", "DOWN")


Or you change the logic already when you assign either DOWN or UP.

After that you can filter to see only the DOWN ones with

| where status="DOWN"


Hope I got your requirement correct.

BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Solved! Jump to solution

mariamathewtel
Explorer
‎03-25-2021 03:55 AM

Hi @manjunathmeti , @rnowitzki , need one more help 

query works well and m getting the correct duration. 

mariamathewtel_0-1616669206011.png

here as you can see the duration is getting updated to the row when the Trend is 10(UP). i want it to be attached to the row where trend is 0(DOWN) so that i can display the downtime properly. 

Like below

mariamathewtel_1-1616669643005.png

 

So that it can be displayed like below in a dashboard. (Only Downtime)

mariamathewtel_2-1616669699490.png

 

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-25-2021 06:30 AM

hi @mariamathewtel,
You can use autoregress to move Duration values to one row up. Try this:

 

index="abc" host=xxx 
| eval Indicator=if(state=="RUNNING", "10", "0")
| timechart span=5min min(Indicator) as "Trend
| delta Trend as diff 
| where diff!=0 
| delta _time AS Duration
| eval Duration=tostring(abs(Duration), "duration")
| reverse
| autoregress Duration as Duration1
| reverse 
| rename Duration1 as Duration

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply
Solved! Jump to solution

mariamathewtel
Explorer
‎03-25-2021 12:28 AM

Hi @rnowitzki ,

This also works as required. 🙂

Thanks a lot for the help 🙂 

 

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-24-2021 04:48 AM

hi @mariamathewtel,

You can use the delta command to identify the event where the Trend value is changed and also to calculate the duration. Try this,

index="abc" host=xxx 
| eval Indicator=if(state=="RUNNING", "10", "0")
| timechart span=5min min(Indicator) as "Trend
| delta Trend as diff 
| where diff!=0 
| delta _time AS Duration
| eval Duration=tostring(abs(Duration), "duration")

 

If this reply helps you, an upvote/like would be appreciated.

 

Reply
Solved! Jump to solution

mariamathewtel
Explorer
‎03-25-2021 12:24 AM

Hi @manjunathmeti ,

this works just fine. exactly what i needed. 

Thanks a lot 🙂

Tags (1)
0 Karma
Reply
Solved! Jump to solution

rnowitzki
Builder
‎03-24-2021 04:22 AM

Hi @mariamathewtel ,

Try this SPL after your search that populates the table shown in the Screenshot:

| streamstats current=f window=1 last(Trend) as prev_trend
| eval trendchange=if(Trend!=prev_trend,"true", "false")
| where trendchange="true"
| streamstats current=f window=1 last(_time) as prev_time
| eval gap=tostring(_time-prev_time, "Duration")
| convert ctime(prev_time)

It will give you only the line where a change in Trend happened, including the gap since the last change took place.

Remove the line with "where" to see the whole list, I was not sure if you wanted to filter the ones without change or not.

Hope this helps.

BR
Ralph

--
Karma and/or Solution tagging appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...