Reporting

How do I get a basic traffic graph similar to MRTG

jimjim
Explorer

Apologies - I am sure this has been answered before.

I am trying to create a graph from my traffic logs. I have managed to extract the 4 fields from the traffic logs as "Start_time" "End_time" "transmitted bits per second" "received bits per second"

But when I try to graph this I get different results. I want the x-axis to be the start_time (not the splunk recorded time field "_time") and I want the y-axis to be "bits per second"

I would like a single log entry to be represented on the x-axis from "Start_time" upto the later time of "End_time" with a height on the y-axis of the integer number "transmitted bits per second" (no time averages or other fancy math functions)

In fact I am just looking for a graph of traffic versus time from a standard traffic log.

Has anyone got any links to a splunk graph and the search string used to generate something like this ?

Many thanks for your help

1 Solution

sideview
SplunkTrust
SplunkTrust

The timechart command will use the _time field for its x-axis, and the values of that _time field have to be epochTime (ie # of seconds since 1970). Beyond that, where those values actually come from doesnt really matter, so we can just eval them from your extracted start_time field.

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions

If that start_time is already an epochTime number then we can save some time, but Im going to assume that it's extracted in a string format, and Im going to additionally assume that the timeformat string involved is: "%m/%d/%Y %H:%M:%S"

So here goes:

<your search> | eval _time=strptime(start_time, "%m/%d/%Y %H:%M:%S")

that will overwrite the indexed _time values with your extracted times.

And from there, I think all you want is basically a graph of overall bits transmitted over time. I've broken this out step by step so its a little easier to follow.

<your search>
| eval _time=strptime(start_time, "%m/%d/%Y %H:%M:%S") 
| eval end_time_epoch = strptime(end_time, "%m/%d/%Y %H:%M:%S") 
| eval duration=endtime_epoch - _time 
| eval bytesTransmitted = bytesTransmitPerSecond * duration
| timechart sum(bytesTransmitted)

hope that helps.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Is there a reason that you're not indexing the data such that the indexed time of the event actually is the start_time field? Is there a third timestamp in the logs that is also meaningful? If not I suggest fixing the problem at indexing, cause then this just becomes "timechart avg(transmitted_bps)"

0 Karma

sideview
SplunkTrust
SplunkTrust

The timechart command will use the _time field for its x-axis, and the values of that _time field have to be epochTime (ie # of seconds since 1970). Beyond that, where those values actually come from doesnt really matter, so we can just eval them from your extracted start_time field.

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions

If that start_time is already an epochTime number then we can save some time, but Im going to assume that it's extracted in a string format, and Im going to additionally assume that the timeformat string involved is: "%m/%d/%Y %H:%M:%S"

So here goes:

<your search> | eval _time=strptime(start_time, "%m/%d/%Y %H:%M:%S")

that will overwrite the indexed _time values with your extracted times.

And from there, I think all you want is basically a graph of overall bits transmitted over time. I've broken this out step by step so its a little easier to follow.

<your search>
| eval _time=strptime(start_time, "%m/%d/%Y %H:%M:%S") 
| eval end_time_epoch = strptime(end_time, "%m/%d/%Y %H:%M:%S") 
| eval duration=endtime_epoch - _time 
| eval bytesTransmitted = bytesTransmitPerSecond * duration
| timechart sum(bytesTransmitted)

hope that helps.

jimjim
Explorer

... a bar chart type entry starting at "start time" and going on until "end time".

Maybe I am being too particular. I will give your suggestion a go and it will probably give me good enough results.

Again many thanks for your help here.

0 Karma

jimjim
Explorer

Many thanks for you suggestions. You gave me a couple of things to look at further.
Am able to get the start time field from log entry
And can get the duration in seconds also from log entry.
Can convert the start time to epoch time and add on duration
to get the end time (as an epoch value or as a regular time stamp format).

But your suggestion "timechart sum(transmit_per_second)" would chart

the "transmit_per_second" against "_time" (the time stamp splunk gets the log at) , as opposed to the time in the log entry.
And gets the sum for this particular time rather than going showing a bar

0 Karma

mayler
Path Finder

I would be interested in this as well. Good luck. You got me thinking...and I found this-incase you haven't read it yet.

http://www.splunk.com/base/Documentation/4.1/Developer/ChartReference

0 Karma

mayler
Path Finder

What about:

range marker

charting.chart.RangeMarker

http://www.splunk.com/base/Documentation/4.1/Developer/ChartReference

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...