Splunk Search

timechart count for last status=up, each month

Path Finder

So, I've simplified my real problem down to this example with as few variables as possible. I wish I could simply alter the manor which the data is coming in, but, I can not, so I need a solution via SPL.

Here it goes:

Almost daily Splunk indexes a set of data that has two important fields, systemid and systemstatus. systemid is a unique identifier to each system, and systemstatus can have the values of "up" or "down". This data is indexed all at once, almost daily. And example of events would look like this:

One day:
08/24/2018T01:00:00 5671 up
08/24/2018T01:00:00 5672 up
08/24/2018T01:00:00 5673 down
08/24/2018T01:00:00 5674 up
08/24/2018T01:00:00 5675 up
08/24/2018T01:00:00 5676 down
08/24/2018T01:00:00 5677 up

The next day:
08/25/2018T01:00:00 5671 up
08/25/2018T01:00:00 5672 up
08/25/2018T01:00:00 5673 up
08/25/2018T01:00:00 5674 up
08/25/2018T01:00:00 5675 up
08/25/2018T01:00:00 5676 down
08/25/2018T01:00:00 5677 up

My goal: a timechart which shows the count of the number of systems "up" for the last data indexed each month. If it helps, each system_id is guaranteed to be in each set of indexed data.

This seems deceptively difficult. Many thanks to any help!

0 Karma

SplunkTrust
SplunkTrust

Try this.. It will extract the up or down value, then use conditional logic to give it a 1 or 0 then do a timechart with 1 minute spans

| rex \d+\s(?<up_or_down>\w+)
| eval state=if(up_or_down="up",1,0)
| timechart span=1m max(state) AS state
0 Karma

Path Finder

Thanks for the response, I should clarify my desired goal.

I'd like a timechart (coverage of 12 months, but span=1 month) which displays only 1 value per month. And that value is the number of "up" systems seen in the last data indexing for the month.

Your response did lead me to a solution which works, however, doing two timecharts in a row seems sloppy, any suggestions for a more elegant solution?

... my search
| eval state=if(system_status="up", 1, 0)
| timechart span=d@d sum(state) AS state
| timechart span=mon@mon last(state) AS state

0 Karma

SplunkTrust
SplunkTrust

You could replace the first timechart with an eventstats or simply leave it the way you got it if its fast. Please upvote/accept if this helped

0 Karma