topic Re: Display peak usage over time in Splunk Search

Display peak usage over time

lukeh — Tue, 19 Feb 2013 04:55:34 GMT

Hi 🙂

We are using Splunk 5.0.2 and have a requirement to show peak bandwidth usage over time.

Here is the search that we are using over the Last 30 days:

index=mediacap ( hostname="cha-cdn6506-*" OR hostname="cht-cdn6506-*" ) ( metric="ifInOctets_Port-channel10" OR metric="ifInOctets_Port-channel11" ) 
| eval metric=hostname.":".metric 
| streamstats current=t global=f window=2 earliest(value) as curr latest(value) as next by metric 
| eval delta=next-curr 
| eval inkilobits=(delta*8/1000/1000/1000) 
| timechart span=5m per_second(inkilobits) as in_kbps useother=f limit=0 by metric 
| addtotals *Octets* 
| fields + Total 
| timechart span=1d max(Total) as Usage

It shows a line graph of peak usage with a span of 1 day between data points, however splunk displays those data points snapped to midnight (ie. beginning of each day).

Is it possible to show the actual time in a day or hour that a peak occurred? Could it be put in a table and/or on the chart?

Thanks in advance,

Luke 🙂

Re: Display peak usage over time

jonuwz — Tue, 19 Feb 2013 08:18:57 GMT

Yip.

If you want the values in a table, here's an example :

earliest=-7d@d
| bin _time span=5m
| stats count as eps by _time 
| eval day=_time
| bin day span=1d
| eventstats max(eps) as peak_eps by day
| where eps==peak_eps
| fields - day eps

If you want to plot this, add :

| eval date_string=strftime(_time,"%d/%m/%y %H:%M:00")
| chart first(eps) by date_string

There's no way to display 5 minute chunks over 30 days, so you have to resort to using chart instead of timechart.

If the date strings on the X axis look ugly, and this is going in a dashboard, I answered a question recently about word-wrapping / truncation for axis labels.

Re: Display peak usage over time

lukeh — Tue, 19 Feb 2013 23:55:27 GMT

Awesome! Thanks John!!!