Solved: Network Metrics Statistics

riotnrrd · ‎02-26-2014

Hi;

I have event lines that summarize Round Trip Times for pings to various router IPs. For example:

2014-02-26T12:45:56-05:00 opskzlp130 rtt: 10.70.0.28=0.423 10.70.0.30=0.404 10.70.80.28=18.807 10.70.80.30=18.887 10.68.12.31=21.904 10.29.58.28=53.157 10.29.58.30=52.500 10.70.48.28=23.617 10.70.48.30=23.780 10.59.0.28=37.253 10.59.0.30=37.177 10.29.32.28=29.125 10.29.32.30=29.212 10.29.0.28=107.619 10.29.0.30=103.525 10.29.140.28=115.682 10.70.64.28=73.692 10.70.64.30=73.911 10.28.128.28=74.269 10.65.29.28=11.257 10.65.29.30=11.333 10.29.43.28=42.183 10.29.43.30=39.819 10.44.48.28=35.346 10.44.48.30=35.907 10.29.57.28=39.032 10.70.207.22=34.584 10.28.0.28=78.575 10.28.0.30=78.550 10.29.128.30=219.439

These lines are written every second. What I want is to graph / timechart the average RTT for each router=rtt value over some window (1 minute, 1 hour, 1 day, etc).

So over the window, Splunk would pick out the RTT values for each unique router in the list, and compute the statistics, in this case average RTT over the window splitting by router.

How might I accomplish something like this?

martin_mueller · ‎02-26-2014

You could do this:

your search yielding such events | rex max_match=0 "\b(?<router_rtt>\d+\.\d+\.\d+\.\d+=\d+\.?\d*)\b" | mvexpand router_rtt | rex field=router_rtt "^(?<router>[^=]+)=(?<rtt>[^=]+)$" | timechart avg(rtt) by router

View solution in original post

martin_mueller · ‎02-26-2014

You could do this:

your search yielding such events | rex max_match=0 "\b(?<router_rtt>\d+\.\d+\.\d+\.\d+=\d+\.?\d*)\b" | mvexpand router_rtt | rex field=router_rtt "^(?<router>[^=]+)=(?<rtt>[^=]+)$" | timechart avg(rtt) by router

riotnrrd · ‎02-27-2014

Perfect! Thank you!

Network Metrics Statistics

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!