Splunk Search

timechart count for last status=up, each month

adamsmith47
Communicator

So, I've simplified my real problem down to this example with as few variables as possible. I wish I could simply alter the manor which the data is coming in, but, I can not, so I need a solution via SPL.

Here it goes:

Almost daily Splunk indexes a set of data that has two important fields, system_id and system_status. system_id is a unique identifier to each system, and system_status can have the values of "up" or "down". This data is indexed all at once, almost daily. And example of events would look like this:

One day:
08/24/2018T01:00:00 5671 up
08/24/2018T01:00:00 5672 up
08/24/2018T01:00:00 5673 down
08/24/2018T01:00:00 5674 up
08/24/2018T01:00:00 5675 up
08/24/2018T01:00:00 5676 down
08/24/2018T01:00:00 5677 up

The next day:
08/25/2018T01:00:00 5671 up
08/25/2018T01:00:00 5672 up
08/25/2018T01:00:00 5673 up
08/25/2018T01:00:00 5674 up
08/25/2018T01:00:00 5675 up
08/25/2018T01:00:00 5676 down
08/25/2018T01:00:00 5677 up

My goal: a timechart which shows the count of the number of systems "up" for the last data indexed each month. If it helps, each system_id is guaranteed to be in each set of indexed data.

This seems deceptively difficult. Many thanks to any help!

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this.. It will extract the up or down value, then use conditional logic to give it a 1 or 0 then do a timechart with 1 minute spans

| rex \d+\s(?<up_or_down>\w+)
| eval state=if(up_or_down="up",1,0)
| timechart span=1m max(state) AS state
0 Karma

adamsmith47
Communicator

Thanks for the response, I should clarify my desired goal.

I'd like a timechart (coverage of 12 months, but span=1 month) which displays only 1 value per month. And that value is the number of "up" systems seen in the last data indexing for the month.

Your response did lead me to a solution which works, however, doing two timecharts in a row seems sloppy, any suggestions for a more elegant solution?

... my search
| eval state=if(system_status="up", 1, 0)
| timechart span=d@d sum(state) AS state
| timechart span=mon@mon last(state) AS state

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You could replace the first timechart with an eventstats or simply leave it the way you got it if its fast. Please upvote/accept if this helped

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!