Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cannot get timechart to show correct results using by "ifName"

matt4321
Explorer
‎09-14-2014 01:10 PM

Using the below search works when I only specify a single ifName.

host=ohtwbgitxsg10 ifName=1/1 | sort _time | delta ifHCInOctets as in_change | delta ifHCOutOctets as out_change | where in_change>=0 | where out_change>=0 | eval inmbits=(in_change*8/1000/1000) | eval outmbits=(out_change*8/1000/1000) | timechart span=12m per_second(inmbits) as in_Mbits, per_second(outmbits) as out_Mbits

But if I want to display multiple ifNames on the chart by changing ifName=* then adding by ifName on the timechart the results are completely inaccurate.

Am I doing something incorrectly or is there a better way of doing this?

Thanks for any help you can provide.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-14-2014 01:58 PM

timechart is not your problem, delta is. delta doesn't know how to do a delta field by otherfield, you need streamstats for that. Something like this:

... | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = ifHCInOctets - last_in | ...

Swap the eval around in case I accidentally gave you negative changes.

View solution in original post

Reply
Solved! Jump to solution

matt4321
Explorer
‎09-16-2014 08:01 PM

This ended up working out perfect thank you very much.

If you don't mind please have a look at my final Search and let me know if you have a better/shorter way on making this work.

host=ohtwbgitxsg10 ifName=1/1 OR ifName=2/1 OR ifName=3/1 OR ifName=4/1 | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = last_in - ifHCInOctets | where in_change>=0 | eval in_mbits=in_change*8/1000/1000 | streamstats window=1 global=f current=f last(ifHCOutOctets) as last_out by ifName | eval out_change = last_out - ifHCOutOctets | where out_change>=0 | eval out_mbits=out_change*8/1000/1000 |   timechart span=12m per_second(in_mbits), per_second(out_mbits) by ifName
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-17-2014 12:49 AM

You could shorten the search string itself by using foreach around the streamstats | eval | where | eval. Those two sets of search commands only differ by "in" and "out", the rest is duplicate. That's not going to influence the execution much though.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-14-2014 01:58 PM

timechart is not your problem, delta is. delta doesn't know how to do a delta field by otherfield, you need streamstats for that. Something like this:

... | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = ifHCInOctets - last_in | ...

Swap the eval around in case I accidentally gave you negative changes.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...