topic Re: Delta of overflowing counter for Bandwidth measurement in Splunk Search

Delta of overflowing counter for Bandwidth measurement

splunkbeginner2 — Tue, 01 Jul 2014 16:51:22 GMT

Hey there,

today seems for me like the morning of many questions.

So I have an other problem: I want to measure the bandwidth with snmp. The Router returns an 32bit counter for octets of bits transmitted. At some very powerful connections this results in that point, that this counter reaches it ends and starts at is negative value again.. this is quite bad, because it destroys my hole graph (every few seconds you have this drop and the real rising isn't visible anymore).
The graph should display the difference of that counter to the counter of the event before. Therefore I am using the |delta command to get the difference to the last one. How could I create an query that is failure safe of filter such events out?

index=snmp source="MyConnection"| sort 0 _time |delta IfInOctets as in|timechart sum(in)

(It would be great, if you could offer a performant solution, but anything that works helps).
Anyway: Thank you for your support!

Regards,
Xantor

Re: Delta of overflowing counter for Bandwidth measurement

somesoni2 — Tue, 01 Jul 2014 20:33:52 GMT

The search is currently working right? Are you looking for alternatives to your 'delta' solution?

Re: Delta of overflowing counter for Bandwidth measurement

splunkbeginner2 — Tue, 01 Jul 2014 21:37:24 GMT

Well. But dearly it produces false results. Each time the counter crosses the maximum, delta doesn't count "from old to max and from min to current". But thats, what it should do. Delta instead works and calculates: "Value short before max - X = Current value" and returns the X.
Unfortunately I need it somehow different.

Re: Delta of overflowing counter for Bandwidth measurement

aweitzman — Wed, 09 Jul 2014 16:39:18 GMT

Maybe something like this?

(You can leave out the eval max and eval min clauses and just plug the numbers directly into the "then" clause of the if statement if you want - I just did it this way here for readability purposes.)

This is not fail-safe because it cannot take into account the situation where the delta is in reality greater than max, because that reality cannot be reflected in the statistics you're gathering. But except for that caveat, this might be your best shot.

Re: Delta of overflowing counter for Bandwidth measurement

dpaupore — Fri, 11 Jul 2014 20:47:30 GMT

also look at 1.3.6.1.2.1.31.1.1.1 mib. It has a 64 bit counter for the interface value, much less change.

Re: Delta of overflowing counter for Bandwidth measurement

splunkbeginner2 — Wed, 16 Jul 2014 18:25:04 GMT

Thank you, I know about this, but not every device is able to return a 64bit Values. Some just have 32 bits...

Re: Delta of overflowing counter for Bandwidth measurement

splunkbeginner2 — Wed, 16 Jul 2014 18:26:56 GMT

I meanwhile used a slightly different solution, but I think yours would even have been better. Thank you!