Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

system uptime calculation

pprakash2
Explorer
‎02-08-2017 01:34 AM

I have a field uptime which is being forwarded from one of the server i want to monitor its uptime. This field has accumulated value of time in seconds. How do i calculate uptime of server in percentage given the date range.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

ehudb
Contributor
‎02-09-2017 03:11 AM

Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,

If the source looks like this:

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 



_time                 uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253

Then the following query will calculate the precentage of uptime and downtime

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 


|eval start=_time-uptime,end=_time |eval startc=start,endc=end  
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime

Result:

uptime  downtime
95.08   4.92

View solution in original post

Reply
Solved! Jump to solution
Solution

ehudb
Contributor
‎02-09-2017 03:11 AM

Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,

If the source looks like this:

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 



_time                 uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253

Then the following query will calculate the precentage of uptime and downtime

|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime 


|eval start=_time-uptime,end=_time |eval startc=start,endc=end  
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime

Result:

uptime  downtime
95.08   4.92
Reply
Solved! Jump to solution

pprakash2
Explorer
‎02-22-2017 10:10 PM

Thanks Ehud, this was helpful!

0 Karma
Reply
Solved! Jump to solution

pprakash2
Explorer
‎02-09-2017 01:41 AM

Thanks morley, this query works for events starting with uptime 0 to some value, if server restarts, uptime starts from 0. for this scenario, the uptime calculation doesn't workout!

[2017-02-09 04:53:27,006]: host="infor-gtnalpq-msa1-1" , uptime="327"
[2017-02-09 04:53:28,006]: host="infor-gtnalpq-msa1-1" , uptime="328"
[2017-02-09 04:53:29,006]: host="infor-gtnalpq-msa1-1" , uptime="329"
[2017-02-09 04:53:30,006]: host="infor-gtnalpq-msa1-1" , uptime="330"
[2017-02-09 04:53:34,006]: host="infor-gtnalpq-msa1-1" , uptime="0"
[2017-02-09 04:53:35,006]: host="infor-gtnalpq-msa1-1" , uptime="1"
[2017-02-09 04:53:36,006]: host="infor-gtnalpq-msa1-1" , uptime="2"
[2017-02-09 04:53:37,006]: host="infor-gtnalpq-msa1-1" , uptime="3"
[2017-02-09 04:53:38,006]: host="infor-gtnalpq-msa1-1" , uptime="4"

0 Karma
Reply
Solved! Jump to solution

pprakash2
Explorer
‎02-08-2017 08:04 PM

example splunk events below:

timestamp=15-01-2016 02:05:34.00, uptime=1231
timestamp=15-01-2016 04:07:22.00, uptime=2398
timestamp=16-01-2016 06:03:15.00, uptime=198792

if the servecr is restarted the uptime counter starts from 0. Based on these events, i need to calculate the % uptime , % downtime for the server. Could you please assist.

0 Karma
Reply
Solved! Jump to solution

ehudb
Contributor
‎02-08-2017 03:17 PM

It would help if you will post some examples to the uptime and date range fields

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top