Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find time between groups of events

Jesterhead
Engager
‎11-05-2012 04:25 PM

So we log an event every hour which will either contain a true or a false. True when we are up and running ok, and false when we are down/not running at full capacity. I've been asked to use this data to track downtime for each of our sites. So for example we might have 12 events that read 'True' surrounded by many 'False' on either side of it, and then days later have a 'pocket' of events that read true again. I'm quite new to Splunk so please excuse any ignorance.

I'm looking for total amount of up time vs down time as well as the individual time for each 'pocket' of events that read true. Is this possible in any capacity to do in Splunk?

Many thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2012 10:40 PM

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2012 10:40 PM

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎11-06-2012 10:48 AM

I just fixed a missing closing parentesis in the rex command.

0 Karma
Reply
Solved! Jump to solution

Jesterhead
Engager
‎11-06-2012 10:36 AM

Great thanks for the help. I'm having trouble setting the rex command. What exactly do I need to plug into it for it to go through?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...