Here is a sample of my log:
{
NIC: {
eth2: {
linkSpeedInKbps: 10000000
macAddress: XX:XX:XX:XX:XX:XX
name: eth2
stats: {
network.dropped_received_pkts: 0
network.dropped_transmitted_pkts: 0
network.error_received_pkts: 0
network.error_transmitted_pkts: 0
network.received_pkts: 760176
network.received_rate_kBps: 19842
network.transmitted_pkts: 3140672
network.transmitted_rate_kBps: 143753
}
}
eth3: {
linkSpeedInKbps: 10000000
macAddress: XX:XX:XX:XX:XX:XX
name: eth3
stats: {
network.dropped_received_pkts: 0
network.dropped_transmitted_pkts: 0
network.error_received_pkts: 0
network.error_transmitted_pkts: 0
network.received_pkts: 1068
network.received_rate_kBps: 2
network.transmitted_pkts: 2
network.transmitted_rate_kBps: 0
}
}
}
nodeName: MyServer01
}
I am capturing basic network information on the servers in my environment. I would like to format a dashboard to look something like this:
I can't figure out how to get the chart to format correctly. I have tried the following:
index=mylogs sourcetype=serverstats nodeName=MyServer01
| chart latest("NIC.*.name") as "*",latest("NIC.*.linkSpeedInKbps") as "* Speed", latest("NIC.*.macAddress") as "* MAC Address" by "NIC.*.name"
And I don't get any results.
I am capturing the information and logging it. I can change the format of the log if I need to. Does anyone have any ideas on how I can get this to work?
I see. your query doesn't make table.
so, fields works wrong, I guess.
| stats latest(linkSpeedInKbps) as "Speed (in Kbps)"
, latest(macAddress) as "MAC"
, latest("stats.network.received_pkts") as "Rx Pkts"
, latest("stats.network.transmitted_pkts") as "Tx Pkts"
, latest("stats.network.dropped_received_pkts") as "Dropped Rx Pkts"
, latest("stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts"
, latest("stats.network.error_received_pkts") as "Rx Pkt Errors"
, latest("stats.network.error_transmitted_pkts") as "Tx Pkt Errors" by name
that's enough.
I kind of got something working...not ideal, though:
index=mylogs sourcetype=serverstats nodeName=MyServer01
| stats latest("NIC.eth2.name") as "Host NIC", latest("NIC.eth2.linkSpeedInKbps") as "Speed (in Kbps)", latest("NIC.eth2.macAddress") as "MAC", latest("NIC.eth2.stats.network.received_pkts") as "Rx Pkts", latest("NIC.eth2.stats.network.transmitted_pkts") as "Tx Pkts", latest("NIC.eth2.stats.network.dropped_received_pkts") as "Dropped Rx Pkts", latest("NIC.eth2.stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts", latest("NIC.eth2.stats.network.error_received_pkts") as "Rx Pkt Errors", latest("NIC.eth2.stats.network.error_transmitted_pkts") as "Tx Pkt Errors"
| append [
search index=mylogs sourcetype=serverstats nodeName=MyServer01
| stats latest("NIC.eth3.name") as "Host NIC", latest("NIC.eth3.linkSpeedInKbps") as "Speed (in Kbps)", latest("NIC.eth3.macAddress") as "MAC", latest("NIC.eth3.stats.network.received_pkts") as "Rx Pkts", latest("NIC.eth3.stats.network.transmitted_pkts") as "Tx Pkts", latest("NIC.eth3.stats.network.dropped_received_pkts") as "Dropped Rx Pkts", latest("NIC.eth3.stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts", latest("NIC.eth3.stats.network.error_received_pkts") as "Rx Pkt Errors", latest("NIC.eth3.stats.network.error_transmitted_pkts") as "Tx Pkt Errors"
]
If I use a port other than "eth2" or "eth3" I am out of luck. Is there a better way to do this?
sample:
| makeresults
| eval _raw="{\"NIC\":{\"eth2\":{\"linkSpeedInKbps\":10000000,\"macAddress\":\"XX:XX:XX:XX:XX:XX\",\"name\":\"eth2\",\"stats\":{\"network.dropped_received_pkts\":0,\"network.dropped_transmitted_pkts\":0,\"network.error_received_pkts\":0,\"network.error_transmitted_pkts\":0,\"network.received_pkts\":760176,\"network.received_rate_kBps\":19842,\"network.transmitted_pkts\":3140672,\"network.transmitted_rate_kBps\":143753}},\"eth3\":{\"linkSpeedInKbps\":10000000,\"macAddress\":\"XX:XX:XX:XX:XX:XX\",\"name\":\"eth3\",\"stats\":{\"network.dropped_received_pkts\":0,\"network.dropped_transmitted_pkts\":0,\"network.error_received_pkts\":0,\"network.error_transmitted_pkts\":0,\"network.received_pkts\":1068,\"network.received_rate_kBps\":2,\"network.transmitted_pkts\":2,\"network.transmitted_rate_kBps\":0}}},\"nodeName\":\"MyServer01\"}"
| spath nodeName
| spath NIC output=nic
| rex field=nic mode=sed "s/,(\"eth\d\":)/#\1/g"
| makemv delim="#" nic
| rex field=nic mode=sed "s/.?\"eth\d\":(.*)}/\1/"
| mvexpand nic
| spath input=nic
| fields - _raw nic
recommend:
index=mylogs sourcetype=serverstats nodeName=MyServer01
| spath nodeName
| spath NIC output=nic
| rex field=nic mode=sed "s/,(\"eth\d\":)/#\1/g"
| makemv delim="#" nic
| rex field=nic mode=sed "s/.?\"eth\d\":(.*)}/\1/"
| mvexpand nic
| spath input=nic
| fields - _raw nic
please modify field names using rename
When I use your top section (where you create the JSON log in Splunk using the "| makeresults" command) everything works as expected. When I use the second solution I get this instead of a table:
There is more in the log than what I initially posted. I kept the rest of it out (so we could focus on the project at hand). What am I missing?
please try line by line.
I carefully compared your example with the results against logs in my environment. Everything is the same up until the last line:
| fields - _raw nic
In your example you create a variable named "_raw" where you create the contents of the log. In my environment the log is already there (it does't need to be created). There must be a different field that needs to be removed. Do you know what it is?
I see. your query doesn't make table.
so, fields works wrong, I guess.
| stats latest(linkSpeedInKbps) as "Speed (in Kbps)"
, latest(macAddress) as "MAC"
, latest("stats.network.received_pkts") as "Rx Pkts"
, latest("stats.network.transmitted_pkts") as "Tx Pkts"
, latest("stats.network.dropped_received_pkts") as "Dropped Rx Pkts"
, latest("stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts"
, latest("stats.network.error_received_pkts") as "Rx Pkt Errors"
, latest("stats.network.error_transmitted_pkts") as "Tx Pkt Errors" by name
that's enough.
@to4kawa ,
Thank you so much! This is exactly what I was looking for. Here is what I used in my actual dashboard:
index=myindex sourcetype=mynodestats
nodeName=$node_name$
| spath nodeName
| spath NIC output=nic
| rex field=nic mode=sed "s/,(\"eth\d\":)/#\1/g"
| makemv delim="#" nic
| rex field=nic mode=sed "s/.?\"eth\d\":(.*)}/\1/"
| mvexpand nic
| spath input=nic
| fields - _raw nic
| stats latest(linkSpeedInKbps) as "Speed (in Kbps)"
, latest(macAddress) as "MAC"
, latest("stats.network.received_pkts") as "Rx Pkts"
, latest("stats.network.transmitted_pkts") as "Tx Pkts"
, latest("stats.network.dropped_received_pkts") as "Dropped Rx Pkts"
, latest("stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts"
, latest("stats.network.error_received_pkts") as "Rx Pkt Errors"
, latest("stats.network.error_transmitted_pkts") as "Tx Pkt Errors" by name
Worked like a charm!