Hi All,
Pleas help me in getting a query to display the time difference from the events that mentioned below
index=opennms nodelabel="GQML2-WANRTC001" "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rename _time as Time_CST
| sort - Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| table nodelabel,eventuei, Time_CST
output of the above query is
nodelabel eventuei Time_CST
GQML2-WANRTC001 uei.opennms.org/nodes/nodeUp 02/27/20 04:41:00
GQML2-WANRTC001 uei.opennms.org/nodes/nodeDown 02/27/20 04:40:00
Another separate query I use.
| rex field=eventuei "uei.opennms.org/nodes/node(?.+)"
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup nodelabel sortby - Time_CST
| table nodelabel State Time_CST
Output for this query is
nodelabel State Time_CST
GQML2-WANRTC001 UP 02/27/20 04:41:00
Expected output is below is Up event came.
nodelabel Status downtime
GQML2-WANRTC001 UP 00:01
Expected output if Up event not came.
nodelabel Status downtime
GQML2-WANRTC001 Down
Let me know all the possibilities of this.
↧