All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart of multiple data series

lukeh
Contributor
‎02-07-2013 10:59 PM

Hi,

I am trying to craft a search to chart bandwidth utilization across multiple switches and multiple interfaces, however I have run into a few issues:

1/ I can chart one switch with multiple interfaces, as per the example below... however if I want to add some additional fields to chart (eg. capacity, engineering_limit, & augmentation_limit) they are plotted multiple times per metric 😞
ie. those additional fields should only be plotted once, not for each interface (aka metric).

2/ Following on from above, I actually want to chart multiple switches with multiple interfaces, however timechart cannot accept multiple split-by-clause's 😞
I have tried using xyseries (as per http://docs.splunk.com/Documentation/Splunk/latest/Search/Chartmultipledataseries ) but I can't figure out how to use it with streamstats and at the same time plot the delta for the interface usage with a per_second calculation.

3/ The interfaces should actually be stacked, but this doesn't seem to work when using timechart with a split-by-clause 😞

I am running on Splunk 5.0.1. Any help is greatly appreciated 🙂

index=mediacap ( hostname="cht-cdn6506-1" ) ( metric="ifInOctets_port-channel2" OR metric="ifInOctets_port-channel3" ) 
| streamstats current=t global=f window=2 earliest(value) as curr latest(value) as next by metric 
| eval delta=next-curr 
| eval inkilobits=(delta*8/1000) 
| eval capacity=(( 47.3 )*1024*1024) 
| eval eng=(capacity*(( 90 )/100)) 
| eval aug=(capacity*(( 70 )/100)) 
| timechart span=5m per_second(inkilobits) as in_kbps
max(capacity) as capacity
max(eng) as eng
max(aug) as aug
by metric

chart screenshot

Thanks in advance,

Luke 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎02-08-2013 06:16 AM

For the 1st part of the question, move this :

| eval capacity=(( 47.3 )*1024*1024) 
| eval eng=(capacity*(( 90 )/100)) 
| eval aug=(capacity*(( 70 )/100))

After the timechart command, and remove theis from the timechart command :

max(capacity) as capacity
max(eng) as eng
max(aug) as aug

How exactly do you want the graph to look in 2 + 3 ?

For each time slice, have multiple columns representing the hosts, with each column having stacked interfaces ?

Not sure thats possible out the box.

Also, You'd need 2 Y axis on your graph to plot the 'capacity','aug' fields seperately to the stacked columns. See here

A quick way to have multiple switch/interfaces would be to start the search like this :

index=mediacap (metric="ifInOctets_port-channel2" OR metric="ifInOctets_port-channel3" ) | eval metric=hostname.":".metric | ...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎02-08-2013 06:16 AM

For the 1st part of the question, move this :

| eval capacity=(( 47.3 )*1024*1024) 
| eval eng=(capacity*(( 90 )/100)) 
| eval aug=(capacity*(( 70 )/100))

After the timechart command, and remove theis from the timechart command :

max(capacity) as capacity
max(eng) as eng
max(aug) as aug

How exactly do you want the graph to look in 2 + 3 ?

For each time slice, have multiple columns representing the hosts, with each column having stacked interfaces ?

Not sure thats possible out the box.

Also, You'd need 2 Y axis on your graph to plot the 'capacity','aug' fields seperately to the stacked columns. See here

A quick way to have multiple switch/interfaces would be to start the search like this :

index=mediacap (metric="ifInOctets_port-channel2" OR metric="ifInOctets_port-channel3" ) | eval metric=hostname.":".metric | ...
0 Karma
Reply
Solved! Jump to solution

lukeh
Contributor
‎02-10-2013 03:05 PM

I was able to use 'addtotals' to get the combined total 🙂

Thanks again for your help Jon! You taught me a couple of things and put me on the right track to Ninjaville 😛

0 Karma
Reply
Solved! Jump to solution

lukeh
Contributor
‎02-08-2013 04:51 PM

Thanks for your help Jon! Moving the evals for capacity, eng, & aug worked a treat... and combining the hostname & metric field into one is brilliant! We are almost there now 🙂

However, we are still using timechart with a split-by-clause on the new metric field... so can we stack them all together to show overall bandwidth usage for the port-channels across all relevant hostnames?

Here is the current screenshot: https://dl.dropbox.com/u/1193777/splunk-media-poc3.png

What we need is all of the cht* and ken* metrics stacked to show overall bandwidth usage 🙂

Thanks in advance,

Luke.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...