So, I've simplified my real problem down to this example with as few variables as possible. I wish I could simply alter the manor which the data is coming in, but, I can not, so I need a solution via SPL.
Here it goes:
Almost daily Splunk indexes a set of data that has two important fields, systemid and systemstatus. systemid is a unique identifier to each system, and systemstatus can have the values of "up" or "down". This data is indexed all at once, almost daily. And example of events would look like this:
08/24/2018T01:00:00 5671 up
08/24/2018T01:00:00 5672 up
08/24/2018T01:00:00 5673 down
08/24/2018T01:00:00 5674 up
08/24/2018T01:00:00 5675 up
08/24/2018T01:00:00 5676 down
08/24/2018T01:00:00 5677 up
The next day:
08/25/2018T01:00:00 5671 up
08/25/2018T01:00:00 5672 up
08/25/2018T01:00:00 5673 up
08/25/2018T01:00:00 5674 up
08/25/2018T01:00:00 5675 up
08/25/2018T01:00:00 5676 down
08/25/2018T01:00:00 5677 up
My goal: a timechart which shows the count of the number of systems "up" for the last data indexed each month. If it helps, each system_id is guaranteed to be in each set of indexed data.
This seems deceptively difficult. Many thanks to any help!
Try this.. It will extract the up or down value, then use conditional logic to give it a 1 or 0 then do a timechart with 1 minute spans
| rex \d+\s(?<up_or_down>\w+) | eval state=if(up_or_down="up",1,0) | timechart span=1m max(state) AS state
Thanks for the response, I should clarify my desired goal.
I'd like a timechart (coverage of 12 months, but span=1 month) which displays only 1 value per month. And that value is the number of "up" systems seen in the last data indexing for the month.
Your response did lead me to a solution which works, however, doing two timecharts in a row seems sloppy, any suggestions for a more elegant solution?
... my search
| eval state=if(system_status="up", 1, 0)
| timechart span=d@d sum(state) AS state
| timechart span=mon@mon last(state) AS state