hi, i am using the below query to list the bootup time and downtime based on event code.. but if the bootuptime shows 3 different days in a month, the calculation for downtime is same for all the th...
See more...
hi, i am using the below query to list the bootup time and downtime based on event code.. but if the bootuptime shows 3 different days in a month, the calculation for downtime is same for all the three days.. index="wineventlog" host IN (abc) (EventCode=6005) Type=Information | eval BootUptime = strftime(_time, "%Y-%d-%m %H:%M:%S") | table host, BootUptime | fields _time, host, BootUptime | join type=left host[| search index="wineventlog" host IN (abc) EventCode=6006 OR EventCode="6005" Type=Information | transaction host startswith=6006 endswith=6005 maxevents=2 | eval duration=tostring(duration,"duration") | eval time_taken = replace(duration,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3sec") | rename time_taken AS Downtime] | table _time host BootUptime Downtime eg: host bootuptime downtime abc 2022-15-01 08:15:40 00h 02min 51sec abc 2022-20-01 03:58:22 00h 02min 51sec abc 2022-15-01 04:34:53 00h 02min 51sec correct answer for downtime is 2.85min, 2.8min & 3.1666666666666665min How to correct it? Thanks in advance