duration in each state for specific time range

rferrante · ‎03-18-2012

Hi,
What would be the best approach for building a query that for a given time-range gives for each device the amount of time in each state?

I have a system that tosses in logs with "Timestamp, DeviceName, NewState" upon each state change.
e.g.
Time=03/17/2012 16:00:23;DeviceName=ABC;Down
Time=03/18/2012 14:16:23;DeviceName=ABC;Up
Time=03/18/2012 14:19:23;DeviceName=ABC;Down
Time=03/18/2012 14:21:23;DeviceName=ABC;On-Backup
Time=03/18/2012 18:49:23;DeviceName=ABC;Up
...

For example, from 3/18/2012 12:00:00 - 3/18/2012 15:00:00 could you give me a query that would yield:
Device;State;
ABC;UP; 3 minutes = 00:03:00
ABC;Down;2min (from outage in middle) + 02:16:23 (from 12:00:00 til it went up at 14:16:23) = 02:18:23
ABC;On-Backup;00:38:37 (from 14:21:23 - 15:00:00)

GKC_DavidAnso · ‎03-18-2012

Hi

Not exactly what you asked for, but you could try something like this:
DeviceName=* |transaction DeviceName startswith=Down endswith=Up |table _time duration
That will give how long it was down for.

Or to see how long it's been on battery try this:
DeviceName=* | transaction DeviceName startswith=On-Backup max-events=2 | table _time duration

duration in each state for specific time range

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!