topic Re: Cannot get timechart to show correct results using by "ifName" in Splunk Search

Cannot get timechart to show correct results using by "ifName"

matt4321 — Sun, 14 Sep 2014 20:10:46 GMT

Using the below search works when I only specify a single ifName.

host=ohtwbgitxsg10 ifName=1/1 | sort _time | delta ifHCInOctets as in_change | delta ifHCOutOctets as out_change | where in_change>=0 | where out_change>=0 | eval inmbits=(in_change*8/1000/1000) | eval outmbits=(out_change*8/1000/1000) | timechart span=12m per_second(inmbits) as in_Mbits, per_second(outmbits) as out_Mbits

But if I want to display multiple ifNames on the chart by changing ifName=* then adding by ifName on the timechart the results are completely inaccurate.

Am I doing something incorrectly or is there a better way of doing this?

Thanks for any help you can provide.

Re: Cannot get timechart to show correct results using by "ifName"

martin_mueller — Sun, 14 Sep 2014 20:58:39 GMT

timechart is not your problem, delta is. delta doesn't know how to do a delta field by otherfield, you need streamstats for that. Something like this:

... | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = ifHCInOctets - last_in | ...

Swap the eval around in case I accidentally gave you negative changes.

Re: Cannot get timechart to show correct results using by "ifName"

matt4321 — Wed, 17 Sep 2014 03:01:45 GMT

This ended up working out perfect thank you very much.

If you don't mind please have a look at my final Search and let me know if you have a better/shorter way on making this work.

host=ohtwbgitxsg10 ifName=1/1 OR ifName=2/1 OR ifName=3/1 OR ifName=4/1 | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = last_in - ifHCInOctets | where in_change>=0 | eval in_mbits=in_change*8/1000/1000 | streamstats window=1 global=f current=f last(ifHCOutOctets) as last_out by ifName | eval out_change = last_out - ifHCOutOctets | where out_change>=0 | eval out_mbits=out_change*8/1000/1000 |   timechart span=12m per_second(in_mbits), per_second(out_mbits) by ifName

Re: Cannot get timechart to show correct results using by "ifName"

martin_mueller — Wed, 17 Sep 2014 07:49:50 GMT

You could shorten the search string itself by using foreach around the streamstats | eval | where | eval. Those two sets of search commands only differ by "in" and "out", the rest is duplicate. That's not going to influence the execution much though.