Reporting
Highlighted

How do I get a basic traffic graph similar to MRTG

Explorer

Apologies - I am sure this has been answered before.

I am trying to create a graph from my traffic logs. I have managed to extract the 4 fields from the traffic logs as "Start_time" "End_time" "transmitted bits per second" "received bits per second"

But when I try to graph this I get different results. I want the x-axis to be the start_time (not the splunk recorded time field "_time") and I want the y-axis to be "bits per second"

I would like a single log entry to be represented on the x-axis from "Start_time" upto the later time of "End_time" with a height on the y-axis of the integer number "transmitted bits per second" (no time averages or other fancy math functions)

In fact I am just looking for a graph of traffic versus time from a standard traffic log.

Has anyone got any links to a splunk graph and the search string used to generate something like this ?

Many thanks for your help

Highlighted

Re: How do I get a basic traffic graph similar to MRTG

Path Finder

I would be interested in this as well. Good luck. You got me thinking...and I found this-incase you haven't read it yet.

http://www.splunk.com/base/Documentation/4.1/Developer/ChartReference

0 Karma
Highlighted

Re: How do I get a basic traffic graph similar to MRTG

Path Finder

What about:

range marker

charting.chart.RangeMarker

http://www.splunk.com/base/Documentation/4.1/Developer/ChartReference

0 Karma
Highlighted

Re: How do I get a basic traffic graph similar to MRTG

SplunkTrust
SplunkTrust

The timechart command will use the _time field for its x-axis, and the values of that _time field have to be epochTime (ie # of seconds since 1970). Beyond that, where those values actually come from doesnt really matter, so we can just eval them from your extracted start_time field.

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions

If that start_time is already an epochTime number then we can save some time, but Im going to assume that it's extracted in a string format, and Im going to additionally assume that the timeformat string involved is: "%m/%d/%Y %H:%M:%S"

So here goes:

<your search> | eval _time=strptime(start_time, "%m/%d/%Y %H:%M:%S")

that will overwrite the indexed _time values with your extracted times.

And from there, I think all you want is basically a graph of overall bits transmitted over time. I've broken this out step by step so its a little easier to follow.

<your search>
| eval _time=strptime(start_time, "%m/%d/%Y %H:%M:%S") 
| eval end_time_epoch = strptime(end_time, "%m/%d/%Y %H:%M:%S") 
| eval duration=endtime_epoch - _time 
| eval bytesTransmitted = bytesTransmitPerSecond * duration
| timechart sum(bytesTransmitted)

hope that helps.

View solution in original post

Highlighted

Re: How do I get a basic traffic graph similar to MRTG

Explorer

Many thanks for you suggestions. You gave me a couple of things to look at further.
Am able to get the start time field from log entry
And can get the duration in seconds also from log entry.
Can convert the start time to epoch time and add on duration
to get the end time (as an epoch value or as a regular time stamp format).

But your suggestion "timechart sum(transmitpersecond)" would chart

the "transmitpersecond" against "_time" (the time stamp splunk gets the log at) , as opposed to the time in the log entry.
And gets the sum for this particular time rather than going showing a bar

0 Karma
Highlighted

Re: How do I get a basic traffic graph similar to MRTG

Explorer

... a bar chart type entry starting at "start time" and going on until "end time".

Maybe I am being too particular. I will give your suggestion a go and it will probably give me good enough results.

Again many thanks for your help here.

0 Karma
Highlighted

Re: How do I get a basic traffic graph similar to MRTG

SplunkTrust
SplunkTrust

Is there a reason that you're not indexing the data such that the indexed time of the event actually is the starttime field? Is there a third timestamp in the logs that is also meaningful? If not I suggest fixing the problem at indexing, cause then this just becomes "timechart avg(transmittedbps)"

0 Karma