Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find time between groups of events

Jesterhead
Engager
‎11-05-2012 04:25 PM

So we log an event every hour which will either contain a true or a false. True when we are up and running ok, and false when we are down/not running at full capacity. I've been asked to use this data to track downtime for each of our sites. So for example we might have 12 events that read 'True' surrounded by many 'False' on either side of it, and then days later have a 'pocket' of events that read true again. I'm quite new to Splunk so please excuse any ignorance.

I'm looking for total amount of up time vs down time as well as the individual time for each 'pocket' of events that read true. Is this possible in any capacity to do in Splunk?

Many thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2012 10:40 PM

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2012 10:40 PM

If you want to group per hour, Bucket your events per time per hour.
then count the number of hours up or down.

* | bucket _time span=1h | rex "(?<state>(ok|false))" | stats count(eval(state="ok")) AS stateOK count(eval(state="false")) AS stateFALSE by state _time | eval hourly_state=if(stateOK>stateFALSE, "ok","false")

Then you can do a global |states count per hourly_state

Of you need to see the group of events, you can then add a transaction.

[edit] fixed typo in the rex command

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎11-06-2012 10:48 AM

I just fixed a missing closing parentesis in the rex command.

0 Karma
Reply
Solved! Jump to solution

Jesterhead
Engager
‎11-06-2012 10:36 AM

Great thanks for the help. I'm having trouble setting the rex command. What exactly do I need to plug into it for it to go through?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...