|
|
@@ -126,11 +126,17 @@ Additional Splunk Searches:
|
|
|
| fields splunk_server migration.*
|
|
|
| rename migration.* AS *
|
|
|
| sort start_epoch
|
|
|
+| eval Duration = end_epoch - start_epoch, Duration = tostring(Duration, "duration")
|
|
|
| convert timeformat="%F %T %Z" ctime(start_epoch) AS Start ctime(end_epoch) AS End
|
|
|
-| fields - *_epoch
|
|
|
-| eval Completed = round(current_job/total_jobs,2)*100 . "%", End = if(isnull(End), "N/A", End), status = case( status=="running", "Running", status=="finished", "Finished", true(), status )
|
|
|
-| fields splunk_server Start End status total_jobs current_job Completed
|
|
|
-| rename splunk_server AS "Splunk Indexer" status AS Status current_job AS "Current Job" total_jobs AS "Total Jobs"
|
|
|
+| fields - *_epoch
|
|
|
+| eval Completed = round(current_job/total_jobs,4)*100, End = if(isnull(End), "N/A", End), status = case( status=="running", "Running", status=="finished", "Finished", true(), status )
|
|
|
+| eventstats count AS rc sum(eval(Completed/3)) AS overall
|
|
|
+| eval overall = round(overall,2)
|
|
|
+| fields splunk_server Start End Duration status total_jobs current_job Completed overall
|
|
|
+| rename splunk_server AS "Splunk Indexer" status AS Status current_job AS "Current Job" total_jobs AS "Total Jobs"
|
|
|
+| appendpipe [ | stats count BY overall | rename overall AS Completed | fields Completed]
|
|
|
+| fields - overall
|
|
|
+| eval Completed = Completed . "%"
|
|
|
```
|
|
|
|
|
|
If Splunk restarts before the migration completes, the endpoint data may not be accurate. If that happens, run:
|
Colby Williams