Hi all, I have the below dataset for a website.
**Time,title, response code
01/10/2019 08:22 ABC_PORTAL 200
01/10/2019 08:24 ABC_PORTAL
01/10/2019 08:26 ABC_PORTAL
01/10/2019 08:28 ABC_PORTAL
01/10/2019 08:30 ABC_PORTAL
01/10/2019 08:32 ABC_PORTAL 503
01/10/2019 08:34 ABC_PORTAL 503
01/10/2019 08:36 ABC_PORTAL 503
01/10/2019 08:38 ABC_PORTAL 503
01/10/2019 08:40 ABC_PORTAL 200
01/10/2019 08:42 ABC_PORTAL 200
01/10/2019 08:44 ABC_PORTAL 200
01/10/2019 08:46 ABC_PORTAL 503
01/10/2019 08:48 ABC_PORTAL
01/10/2019 08:50 ABC_PORTAL
01/10/2019 08:52 ABC_PORTAL
01/10/2019 09:54 ABC_PORTAL
01/10/2019 09:56 ABC_PORTAL
01/10/2019 09:58 ABC_PORTAL 503
01/10/2019 10:00 ABC_PORTAL 503
01/10/2019 10:02 ABC_PORTAL 200
01/10/2019 10:04 ABC_PORTAL 200**
In the above data the blank response code are connection timed out
I want to show the downtime duration of the website.
Below is my search:
sourcetype=| eval response_code=if(response_code="", "failed", response_code)
| transaction title startswith="response_code=failed" endswith="response_code=200"
|eval minutes=(duration/60)| stats sum(minutes) as "Total Downtime in minutes" by title,_time
or
sourcetype=| eval response_code=if(response_code="", "failed", response_code)
| transaction title startswith="response_code=503" endswith="response_code=200"
|eval minutes=(duration/60)| stats sum(minutes) as "Total Downtime in minutes" by title,_time
The problem is it is not calculating the correct duration I want to show the data in below manner
title , Downtime_start,Downtime_end , Duration,response_code
How can I achieve the above result or should I think of another way of representation any suggestions would be a great help!
↧