Hi ALL
i have below dataset for website
Time,title, response code
01/10/2019 08:22 ABC_PORTAL 200
01/10/2019 08:24 ABC_PORTAL
01/10/2019 08:26 ABC_PORTAL
01/10/2019 08:28 ABC_PORTAL
01/10/2019 08:30 ABC_PORTAL
01/10/2019 08:32 ABC_PORTAL 503
01/10/2019 08:34 ABC_PORTAL 503
01/10/2019 08:36 ABC_PORTAL 503
01/10/2019 08:38 ABC_PORTAL 503
01/10/2019 08:40 ABC_PORTAL 200
01/10/2019 08:42 ABC_PORTAL 200
01/10/2019 08:44 ABC_PORTAL 200
01/10/2019 08:46 ABC_PORTAL 503
01/10/2019 08:48 ABC_PORTAL
01/10/2019 08:50 ABC_PORTAL
01/10/2019 08:52 ABC_PORTAL
01/10/2019 09:54 ABC_PORTAL
01/10/2019 09:56 ABC_PORTAL
01/10/2019 09:58 ABC_PORTAL 503
01/10/2019 10:00 ABC_PORTAL 503
01/10/2019 10:02 ABC_PORTAL 200
01/10/2019 10:04 ABC_PORTAL 200
in the above data the blank response code are connection timed out
i want to show the downtime duration of the website
Below is my query
sourcetype=| eval response_code=if(response_code="", "failed", response_code)
| transaction title startswith="response_code=failed" endswith="response_code=200"
|eval minutes=(duration/60)| stats sum(minutes) as "Total Downtime in minutes" by title,_time
or
sourcetype=| eval response_code=if(response_code="", "failed", response_code)
| transaction title startswith="response_code=503" endswith="response_code=200"
|eval minutes=(duration/60)| stats sum(minutes) as "Total Downtime in minutes" by title,_time
problem is it is not calculating the correct duration i want to show the data in below manner
title , Downtime_start,Downtime_end , Duration,response_code
How can i achive the above result or should i think of another way of representation any suggestions would be great help
↧