×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Roy1
Explorer
Member since: ‎01-10-2024
‎02-23-2024
Community Statistics
Posts 6
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎01-10-2024
Activity Feed
View All

Re: Measuring inactivity in equipment according to...

by in Splunk Search
‎02-23-2024 04:48 AM
‎02-23-2024 04:48 AM
Thanks for your reply. I think you are right on the example data I made some mistakes there. and the query works even with multiple ID's so thank you very much.  ... View more

Measuring inactivity in equipment according to x y...

by in Splunk Search
‎02-20-2024 02:30 AM
‎02-20-2024 02:30 AM
Hello I would like to make a query in which i can see how long my equipment has been inactive and when it was inactive preferably in a timechart. I would like to define inactive in 2 ways. One is when x y and z have the same value +/-50 for 10 seconds or more In these events 1000=950/1050 for the sake of inactivity The second way is when there has been no new event from a piece of equipment for more than 10 seconds Any help would be very much appriciated. Below are some sample events and how long the equipment is active/inactive 12:00:10 x=1000 y=500 z=300 equipmentID=1 12:00:15 x=1000 y=500 z=300 equipmentID=1 12:00:20 x=1025 y=525 z=275 equipmentID=1 12:00:25 x=1000 y=500 z=300 equipmentID=1 (20 seconds of inactivity) 12:00:30 x=1600 y=850 z=60 equipmentID=1 12:00:35 x=1600 y=850 z=60 equipmentID=1 (15 seconds of activity) 12:03:00 x=1650 y=950 z=300 equipmentID=1 (135 seconds of inactivity) 12:03:05 x=1850 y=500 z=650 equipmentID=1 12:03:10 x=2500 y=950 z=800 equipmentID=1 12:03:15 x=2500 y=950 z=400 equipmentID=1 12:03:20 x=2500 y=950 z=150 equipmentID=1 (15 seconds of activity) ... View more
Labels

Re: Show the current duration of equipment where t...

by in Splunk Search
‎02-12-2024 05:02 AM
‎02-12-2024 05:02 AM
This works perfectly thank you very much. ... View more

Re: Show the current duration of equipment where t...

by in Splunk Search
‎02-12-2024 04:37 AM
‎02-12-2024 04:37 AM
I see, you are correct I made a mistake in my example events the 120 should indeed be 360. Thanks for catching my mistake ... View more

Re: Show the current duration of equipment where t...

by in Splunk Search
‎02-12-2024 04:15 AM
‎02-12-2024 04:15 AM
Thanks for the reply unfortunately it doesn’t seem to work completely. I have the timerange set to the previous 15 minutes what I think happens is that the query takes the first !=null and starts the duration from there. I fixed this by adding |sort _time 0 to the top of the query but then it only tracks the time of the last status. I would like for it to track the total time all statuses are  !=null When I use your query I get durations of ~900 seconds while they are between 1-100 When I add the time sort I only get the duration of X and not X+Y (from the following events) Do you happen to know how I get the duration of X+Y? Time EquipmentID Status JobID 12:00 1 X 10 12:01 1 "null" 10 12:02 1 "null" 10 12:03 1 Y 10 12:04 1 Y 10 12:05 1 Y 10 12:06 1 Y 10 12:07 1 X 10 12:08 1 X 10 ... View more

Show the current duration of equipment where the S...

by in Splunk Search
‎02-12-2024 02:32 AM
‎02-12-2024 02:32 AM
Hello, I have the following data:  I want to use this data to setup a dashboard. In this dashboard I want to show the current duration of equipment where the Status is not "null" (null is a string in this case and not a null value) Each JobID only has one EquipmentID The same status can occur and disappear multiple times per JobID There are around 10 different status I want to the results to show only durations above 60 seconds If the current time is 12:21 I would like the to look like this. EquipmentID   Duration Most_recent_status 2 120 Z   Time EquipmentID Status JobID 12:00 1 "null" 10 12:01 2 "null" 20 12:02 2 X 20 12:03 2 X 20 12:04 1 X 10 12:05 1 Y 10 12:06 1 Y 20 12:07 2 Y 20 12:08 1 X 10 12:09 2 Y 20 12:10 1 "null" 11 12:11 2 "null" 21 12:12 2 "null" 21 12:13 1 "null" 11 12:14 1 "null" 11 12:15 2 X 21 12:16 1 X 11 12:17 2 X 21 12:18 1 "null" 11 12:19 2 Z 21 12:20 2 Z 21   This is the query I use now only the duration_now resets every time a new event occurs  index=X sourcetype=Y JobID!=”null” |sort _time 0 | stats last(_time) as first_time last(Status) as "First_Status" latest(status) as Last_status latest(_time) as latest_times values(EquipmentID) as Equipment by JobID | eval final_duration = case(Last_status ="null", round(latest_times - first_time,2)) | eval duration_now = case(isnull(final_duration), round(now() - first_time,2)) | eval first_time=strftime(first_time, "%Y-%m-%d %H:%M:%S") | eval latest_times=strftime(latest_times, "%Y-%m-%d %H:%M:%S") | sort - first_time Any help would be greatly appreciated ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-23-2024 06:28 AM
Karma given to
View All