- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: system uptime calculation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a field uptime which is being forwarded from one of the server i want to monitor its uptime. This field has accumulated value of time in seconds. How do i calculate uptime of server in percentage given the date range.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,
If the source looks like this:
|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime
_time uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253
Then the following query will calculate the precentage of uptime and downtime
|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime
|eval start=_time-uptime,end=_time |eval startc=start,endc=end
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime
Result:
uptime downtime
95.08 4.92
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,
If the source looks like this:
|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime
_time uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253
Then the following query will calculate the precentage of uptime and downtime
|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime
|eval start=_time-uptime,end=_time |eval startc=start,endc=end
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime
Result:
uptime downtime
95.08 4.92
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ehud, this was helpful!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks morley, this query works for events starting with uptime 0 to some value, if server restarts, uptime starts from 0. for this scenario, the uptime calculation doesn't workout!
[2017-02-09 04:53:27,006]: host="infor-gtnalpq-msa1-1" , uptime="327"
[2017-02-09 04:53:28,006]: host="infor-gtnalpq-msa1-1" , uptime="328"
[2017-02-09 04:53:29,006]: host="infor-gtnalpq-msa1-1" , uptime="329"
[2017-02-09 04:53:30,006]: host="infor-gtnalpq-msa1-1" , uptime="330"
[2017-02-09 04:53:34,006]: host="infor-gtnalpq-msa1-1" , uptime="0"
[2017-02-09 04:53:35,006]: host="infor-gtnalpq-msa1-1" , uptime="1"
[2017-02-09 04:53:36,006]: host="infor-gtnalpq-msa1-1" , uptime="2"
[2017-02-09 04:53:37,006]: host="infor-gtnalpq-msa1-1" , uptime="3"
[2017-02-09 04:53:38,006]: host="infor-gtnalpq-msa1-1" , uptime="4"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
example splunk events below:
timestamp=15-01-2016 02:05:34.00, uptime=1231
timestamp=15-01-2016 04:07:22.00, uptime=2398
timestamp=16-01-2016 06:03:15.00, uptime=198792
if the servecr is restarted the uptime counter starts from 0. Based on these events, i need to calculate the % uptime , % downtime for the server. Could you please assist.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would help if you will post some examples to the uptime and date range fields
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
Everything Community at .conf24!
Index This | I’m short for "configuration file.” What am I?
