Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

distributing duration time into time-span buckets

jrstear
Path Finder
‎03-19-2011 02:01 AM

I've got system uptime duration records and want to break them into hours per day. Goal is to calculate mean time to interrupt over a 14-day sliding window via streamstats.

For example, given uptime=60 (hours) at 4/18/2011 08:00:00, I'd like the following buckets:

4/15/2011 00:00:00 uptime=4

4/16/2011 00:00:00 uptime=24

4/17/2011 00:00:00 uptime=24

4/18/2011 00:00:00 uptime=8

Custom command, or other way? Thanks for any help!

Related to http://answers.splunk.com/questions/6999/stats-sumduration-by-user-date-month-date-year-not-really-a... but I need more help 🙂

0 Karma
Reply

Paolo_Prigione
Builder
‎03-19-2011 07:04 PM

This way you would not account for systems with an uptime over 14 days, am I right?

I'd propose you a different approach: for each host, only count the uptime hours which are "included" in the current rolling 14-days period, then average the numbers...

sourcetype=uptime
| eval maxHoursInPeriod=round((_time - (now() - 86400*14))/3600,0)
| eval uptimeHoursInPeriod=min(100000,uptime,maxHoursInPeriod) 
| stats avg(uptimeHoursInPeriod) by machine

Here:

  • maxHoursInPeriod = the maximum number of hours that host could have been up during the current time period (date of the event - date of the period start)
  • uptimeHoursInPeriod = how many uptime hours the host has been up during the period. The 100000 is just used to force Splunk to perform numeric comparisons (there's an answer on this topic somewhere)

Here's some sample logdata (machine is my "host")

2011/02/03 07:00:21 - uptime=170 machine=a
2011/02/07 07:00:21 - uptime=60 machine=a
2011/02/07 09:08:47 - uptime=23 machine=b
2011/02/07 10:10:04 - uptime=7 machine=c
2011/02/07 11:59:09 - uptime=25 machine=d
2011/02/07 19:50:00 - uptime=10 machine=b
2011/02/09 10:00:00 - uptime=50 machine=a
2011/02/10 14:00:00 - uptime=74 machine=b
2011/02/11 20:00:00 - uptime=105 machine=c
2011/02/14 23:59:00 - uptime=179 machine=d

I am faking the now() to be Feb 10th, 0:0:0 GMT (epoch=1297296000), so my 14-days period actually starts on Jan 28th at 0:0:0. Here's the search I've used

sourcetype=uptime latest=1297296000 | eval p=1297296000
| eval maxHoursInPeriod=round((_time - (p - 86400*14))/3600,0)
| eval uptimeHoursInPeriod=min(100000,uptime,maxHoursInPeriod) 
| stats avg(uptimeHoursInPeriod) by machine
Reply

jrstear
Path Finder
‎03-21-2011 05:57 PM

Good idea - I think this works fine for a single window position. And for a sliding window, I could run nightly and save to summary. I now realize issues if there are no uptime records within the search window, and accounting for time since the latest record, but think I can handle those. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...