How calculed Uptime in Kibana

ITchandj · January 28, 2021, 11:15am

Hallo everyone. I need heep in kibana. I want to write one Scripted field that converts Sessionlogontime(string) and gives me the result per day. i would be very proud if someone can offer me a solution. It is calculated like this in splunk

latest(SessionLogonTime) as BootTime
latest(HwModel) as HwModel
splitrow
host as Host
filter host in ("*")

     | eval BootTime = strptime (BootTime,"%Y-%m-%d %H:%M:%S.%Q %z")
     | eval Uptime = round ((now() - BootTime) / 86400, 2)
     | stats
        avg(Uptime) as AvgUptime
        dc(Host) as "#Hosts"
        by HwModel
     | rename HwModel as "Hardware model"
     | eval "Avg. uptime (days)" = round (AvgUptime, 1) | sort - "Avg. uptime (days)"

wylie · January 28, 2021, 5:49pm

I'm not familiar with splunk, so maybe I'm missing some parts of your question. There is an important difference in the way you're asking your question vs how I think about the question: the ELK stack is optimized for fast performance on pre-indexed data, and so it will be slower if you want to calculate something that isn't pre-indexed.

So basically my recommendation is, if you can, you should be indexing "uptime" as a numeric field.

If you can't, then you still have options, but there are tradeoffs:

Use the Elasticsearch transforms to find duration, like this example
Don't calculate durations on the client-side, but use the top hits metric to find the "latest value" per status

system · February 25, 2021, 5:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.