I have a report with a table where I am showing uptime availability of various products. Currently the table is returning only results that fall below 100%. Makes sense overall but I need all the d...
See more...
I have a report with a table where I am showing uptime availability of various products. Currently the table is returning only results that fall below 100%. Makes sense overall but I need all the data. So I need results with no data to show as 100%. For the life of me I can not figure it out. Please all knowing Splunk gods help me.
index=my_data data.environment.application="MY APP" data.environment.environment="test"
| eval estack="my_stack"
| fillnull value="prod" estack data.environment.stack
| where 'data.environment.stack'=estack
| streamstats window=1 current=False global=False values(data.result) AS nextResult BY data.componentId
| eval failureStart=if((nextResult="FAILURE" AND 'data.result'="SUCCESS"), "True", "False"), failureEnd=if((nextResult="SUCCESS" AND 'data.result'="FAILURE"), "True", "False")
| transaction data.componentId, data.environment.application, data.environment.stack startswith="failureStart=True" endswith="failureEnd=True" maxpause=15m
| stats sum(duration) as downtime by data.componentId
| addinfo
| eval uptime=(info_max_time - info_min_time)-downtime, avail=(uptime/(info_max_time - info_min_time))*100, downMins=round(downtime/60, 0)
| rename data.componentId AS Component, avail AS Availability
| table Component, Availability