Looking at the table we can see that for the row for 01:00, the last known value for status was UP (which comes from the 00:00). Using this assumption we can use Splunk’s “filldown” command, to fill in the missing values.įilldown looks for empty values for a particular field and updates them to be that of the last known, non-empty value for that field. We might reasonably assume that for each missing hour, the API status is the same as that of the previous hour. Since there were no hits during the missing hours, there is nothing to tell us whether our API endpoint was available or not. If the API was available at the end of the hour then the status is reported as UP and conversely, if the API was unavailable then the status is reported as DOWN. The status is the state of the API endpoint at the end of each hour. However the “status” column is still empty for these missing hours. We can see that the “missing hours” now have rows of zeroes which tells us that there were no activity during these hours rather than ambiguously not including them. We then get an updated table that looks like this: | fillnull total_number_of_hits, successful_hits, unsuccessful_hits | timechart values(total_number_of_hits) as total_number_of_hits, values(successful_hits) as successful_hits,values(unsuccessful_hits) as unsuccessful_hits,values(status) as status span=1hr Source="test_API_data.csv" host="test_API_data" index="main" sourcetype="csv"
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |