topic Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch? in Splunk Search

How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

Hindoo — Tue, 21 Apr 2015 10:00:50 GMT

Hello

I want to display a chart to see the bandwidth, inbound and outbound, from a switch.
i wrote my search:

sourcetype="syslog" host="192.168.0.1"| eval Bandwidth=Inbound+Outbound | timechart span=1m values(Inbound) as "Inbound Traffic (bps)", values(Outbound) as "Outbound Traffic (bps)", values(Bandwidth) as "Total Bandwidth (bps)"

The axes appeared, but not the curve :((

i need help please

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

jeffland — Tue, 21 Apr 2015 11:42:07 GMT

What does your data look like, especially Inbound and outbound?

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

Hindoo — Tue, 21 Apr 2015 19:53:30 GMT

it look like down link and up link interfaces

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

aweitzman — Tue, 21 Apr 2015 20:44:22 GMT

I think the issue is that the values operator gets you a multivalued list of values, which doesn't fit nicely on a chart. In this case, since you're measuring total bandwidth, you'd be better off using sum instead.

| timechart span=1m sum(Inbound) as "Inbound Traffic (bps)", sum(Outbound) as "Outbound Traffic (bps)", sum(Bandwidth) as "Total Bandwidth (bps)"

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

chimell — Tue, 21 Apr 2015 21:03:06 GMT

Hi Hindoo
If your searches inbound and outnound don't have a fields
your request will look like below:

sourcetype="syslog" host="192.168.0.1"|eval Bandwidth= [|set union [search Inbound  ][search Outbound  ]  ]|timechart span=1m values(Inbound) as "Inbound Traffic (bps)",values(Outbound) as "Outbound Traffic (bps)",values(Bandwidth) as "Total Bandwidth (bps)"

Note that in your request the problem is about Banwith=Inbound+Outbound

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

Hindoo — Tue, 21 Apr 2015 21:22:29 GMT

i tested with sum but the same result: no curve

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

aweitzman — Tue, 21 Apr 2015 21:28:34 GMT

Can you please post some sample events, as well as what the search result looks like before you try to chart it?

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

Hindoo — Tue, 21 Apr 2015 21:36:03 GMT

Sorry , I didn't really understand what I will put as a field

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

Hindoo — Tue, 21 Apr 2015 21:40:18 GMT

here is some events:

4/21/15
10:27:28.000 PM
Apr 21 22:27:28 192.168.0.1 May 26 19:02:03 2000 4800G %%10IFNET/4/INTERFACE UPDOWN(t):-DevIP=192.168.0.1; Trap 1.3.6.1.6.3.1.1.5.3: Interface 9437191 is Down, ifAdminStatus is 1, ifOperStatus is 2

host =192.168.0.1
source =192.168.1.203:514
sourcetype =syslog

4/21/15
10:27:28.000 PM
Apr 21 22:27:28 192.168.0.1 May 26 19:02:03 2000 4800G %%10IFNET/4/LINK UPDOWN(l):-DevIP=192.168.0.1; GigabitEthernet1/0/8: link status is DOWN
host =192.168.0.1
source =192.168.1.203:514
sourcetype =syslog

4/21/15
10:24:58.000 PM
Apr 21 22:24:58 192.168.0.1 May 26 18:59:33 2000 4800G %%10MSTP/2/PFWD(l):-DevIP=192.168.0.1; Instance 0's GigabitEthernet1/0/8 has been set to forwarding state!
host =192.168.0.1
source =192.168.1.203:514
sourcetype =syslog

4/21/15
10:24:57.000 PM
Apr 21 22:24:57 192.168.0.1 May 26 18:59:33 2000 4800G %%10MSTP/1/PFWD(t):-DevIP=192.168.0.1; hwPortMstiStateForwarding: Instance 0's Port 0.9437191 has been set to forwarding state!
host =192.168.0.1
source =192.168.1.203:514
sourcetype =syslog

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

jeffland — Wed, 22 Apr 2015 05:34:56 GMT

See this very important documentation on fields. Splunk works with data that has key-value pairs with fieldName=value; your data for example has a field named DevIP with value 192.168.0.1 in all your sample events. But notice how there are no fields named inbound or outbound? That's why your search does not deliver any results to display in your chart.
If you want to use a field that is not already there in your data, you can create it, e.g. with an eval expression; a very important mechanic you should read up on here. More of an advanced topic is if you frequently want to use such field that aren't there, you can use calculated or extracted fields instead of writing eval manually all the time.
Although in this particular case, I don't see how you could calculate either inbound or outbound data as there is no field that has values we could use to calculate any throughput.

Re: How to edit my search to create chart displaying inbound and outbound bandwidth from a switch?

aweitzman — Wed, 22 Apr 2015 12:26:09 GMT

See @jeffland's answer. If there are other events that do have the values you want, you need to show those particular events, otherwise there's no way to get the statistics you want.