Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Format Chart for Network Performance

trb48
Engager
‎06-19-2020 07:49 AM

Here is a sample of my log:

 

 

{
   NIC: {
     eth2: {
       linkSpeedInKbps: 10000000
       macAddress: XX:XX:XX:XX:XX:XX
       name: eth2
       stats: {
         network.dropped_received_pkts: 0
         network.dropped_transmitted_pkts: 0
         network.error_received_pkts: 0
         network.error_transmitted_pkts: 0
         network.received_pkts: 760176
         network.received_rate_kBps: 19842
         network.transmitted_pkts: 3140672
         network.transmitted_rate_kBps: 143753
       }
     }
     eth3: {
       linkSpeedInKbps: 10000000
       macAddress: XX:XX:XX:XX:XX:XX
       name: eth3
       stats: {
         network.dropped_received_pkts: 0
         network.dropped_transmitted_pkts: 0
         network.error_received_pkts: 0
         network.error_transmitted_pkts: 0
         network.received_pkts: 1068
         network.received_rate_kBps: 2
         network.transmitted_pkts: 2
         network.transmitted_rate_kBps: 0
       }
     }
   }
nodeName: MyServer01
}

 

 

I am capturing basic network information on the servers in my environment. I would like to format a dashboard to look something like this:

trb48_0-1592577849481.png

 

I can't figure out how to get the chart to format correctly. I have tried the following:

 

 

index=mylogs sourcetype=serverstats nodeName=MyServer01

| chart  latest("NIC.*.name") as "*",latest("NIC.*.linkSpeedInKbps") as "* Speed", latest("NIC.*.macAddress") as "* MAC Address" by "NIC.*.name"

 

 

And I don't get any results.

 

I am capturing the information and logging it. I can change the format of the log if I need to. Does anyone have any ideas on how I can get this to work?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎06-19-2020 09:02 PM

I see. your query doesn't make table.

so, fields works wrong, I guess.

| stats latest(linkSpeedInKbps) as "Speed (in Kbps)"
, latest(macAddress) as "MAC"
, latest("stats.network.received_pkts") as "Rx Pkts"
, latest("stats.network.transmitted_pkts") as "Tx Pkts"
, latest("stats.network.dropped_received_pkts") as "Dropped Rx Pkts"
, latest("stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts"
, latest("stats.network.error_received_pkts") as "Rx Pkt Errors"
, latest("stats.network.error_transmitted_pkts") as "Tx Pkt Errors" by name

that's enough.

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

trb48
Engager
‎06-19-2020 02:46 PM

I kind of got something working...not ideal, though:

index=mylogs sourcetype=serverstats nodeName=MyServer01 

| stats latest("NIC.eth2.name") as "Host NIC", latest("NIC.eth2.linkSpeedInKbps") as "Speed (in Kbps)", latest("NIC.eth2.macAddress") as "MAC", latest("NIC.eth2.stats.network.received_pkts") as "Rx Pkts", latest("NIC.eth2.stats.network.transmitted_pkts") as "Tx Pkts", latest("NIC.eth2.stats.network.dropped_received_pkts") as "Dropped Rx Pkts", latest("NIC.eth2.stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts", latest("NIC.eth2.stats.network.error_received_pkts") as "Rx Pkt Errors", latest("NIC.eth2.stats.network.error_transmitted_pkts") as "Tx Pkt Errors"
| append [
		search index=mylogs sourcetype=serverstats nodeName=MyServer01 

		| stats latest("NIC.eth3.name") as "Host NIC", latest("NIC.eth3.linkSpeedInKbps") as "Speed (in Kbps)", latest("NIC.eth3.macAddress") as "MAC", latest("NIC.eth3.stats.network.received_pkts") as "Rx Pkts", latest("NIC.eth3.stats.network.transmitted_pkts") as "Tx Pkts", latest("NIC.eth3.stats.network.dropped_received_pkts") as "Dropped Rx Pkts", latest("NIC.eth3.stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts", latest("NIC.eth3.stats.network.error_received_pkts") as "Rx Pkt Errors", latest("NIC.eth3.stats.network.error_transmitted_pkts") as "Tx Pkt Errors"
		]

 

If I use a port other than "eth2" or "eth3" I am out of luck. Is there a better way to do this?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎06-19-2020 03:15 PM

sample:

| makeresults 
| eval _raw="{\"NIC\":{\"eth2\":{\"linkSpeedInKbps\":10000000,\"macAddress\":\"XX:XX:XX:XX:XX:XX\",\"name\":\"eth2\",\"stats\":{\"network.dropped_received_pkts\":0,\"network.dropped_transmitted_pkts\":0,\"network.error_received_pkts\":0,\"network.error_transmitted_pkts\":0,\"network.received_pkts\":760176,\"network.received_rate_kBps\":19842,\"network.transmitted_pkts\":3140672,\"network.transmitted_rate_kBps\":143753}},\"eth3\":{\"linkSpeedInKbps\":10000000,\"macAddress\":\"XX:XX:XX:XX:XX:XX\",\"name\":\"eth3\",\"stats\":{\"network.dropped_received_pkts\":0,\"network.dropped_transmitted_pkts\":0,\"network.error_received_pkts\":0,\"network.error_transmitted_pkts\":0,\"network.received_pkts\":1068,\"network.received_rate_kBps\":2,\"network.transmitted_pkts\":2,\"network.transmitted_rate_kBps\":0}}},\"nodeName\":\"MyServer01\"}" 
| spath nodeName 
| spath NIC output=nic 
| rex field=nic mode=sed "s/,(\"eth\d\":)/#\1/g" 
| makemv delim="#" nic 
| rex field=nic mode=sed "s/.?\"eth\d\":(.*)}/\1/" 
| mvexpand nic 
| spath input=nic 
| fields - _raw nic

recommend:

index=mylogs sourcetype=serverstats nodeName=MyServer01
| spath nodeName 
| spath NIC output=nic 
| rex field=nic mode=sed "s/,(\"eth\d\":)/#\1/g" 
| makemv delim="#" nic 
| rex field=nic mode=sed "s/.?\"eth\d\":(.*)}/\1/" 
| mvexpand nic 
| spath input=nic 
| fields - _raw nic

please modify field names using rename

 

0 Karma
Reply
Solved! Jump to solution

trb48
Engager
‎06-19-2020 04:43 PM

When I use your top section (where you create the JSON log in Splunk using the "| makeresults" command) everything works as expected. When I use the second solution I get this instead of a table:

trb48_0-1592610146393.png

There is more in the log than what I initially posted. I kept the rest of it out (so we could focus on the project at hand). What am I missing?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎06-19-2020 04:55 PM

please try line by line. 

0 Karma
Reply
Solved! Jump to solution

trb48
Engager
‎06-19-2020 06:30 PM

I carefully compared your example with the results against logs in my environment. Everything is the same up until the last line:

| fields - _raw nic

 

In your example you create a variable named "_raw" where you create the contents of the log. In my environment the log is already there (it does't need to be created). There must be a different field that needs to be removed. Do you know what it is? 

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎06-19-2020 09:02 PM

I see. your query doesn't make table.

so, fields works wrong, I guess.

| stats latest(linkSpeedInKbps) as "Speed (in Kbps)"
, latest(macAddress) as "MAC"
, latest("stats.network.received_pkts") as "Rx Pkts"
, latest("stats.network.transmitted_pkts") as "Tx Pkts"
, latest("stats.network.dropped_received_pkts") as "Dropped Rx Pkts"
, latest("stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts"
, latest("stats.network.error_received_pkts") as "Rx Pkt Errors"
, latest("stats.network.error_transmitted_pkts") as "Tx Pkt Errors" by name

that's enough.

 

 

0 Karma
Reply
Solved! Jump to solution

trb48
Engager
‎06-22-2020 07:43 AM

@to4kawa ,

Thank you so much! This is exactly what I was looking for. Here is what I used in my actual dashboard:

index=myindex sourcetype=mynodestats
	nodeName=$node_name$  

| spath nodeName 
| spath NIC output=nic 
| rex field=nic mode=sed "s/,(\"eth\d\":)/#\1/g" 
| makemv delim="#" nic 
| rex field=nic mode=sed "s/.?\"eth\d\":(.*)}/\1/" 
| mvexpand nic 
| spath input=nic 
| fields - _raw nic

| stats latest(linkSpeedInKbps) as "Speed (in Kbps)"
, latest(macAddress) as "MAC"
, latest("stats.network.received_pkts") as "Rx Pkts"
, latest("stats.network.transmitted_pkts") as "Tx Pkts"
, latest("stats.network.dropped_received_pkts") as "Dropped Rx Pkts"
, latest("stats.network.dropped_transmitted_pkts") as "Dropped Tx Pkts"
, latest("stats.network.error_received_pkts") as "Rx Pkt Errors"
, latest("stats.network.error_transmitted_pkts") as "Tx Pkt Errors" by name

 

Worked like a charm!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...