Splunk Search

Cannot get timechart to show correct results using by "ifName"

matt4321
Explorer

Using the below search works when I only specify a single ifName.

host=ohtwbgitxsg10 ifName=1/1 | sort _time | delta ifHCInOctets as in_change | delta ifHCOutOctets as out_change | where in_change>=0 | where out_change>=0 | eval inmbits=(in_change*8/1000/1000) | eval outmbits=(out_change*8/1000/1000) | timechart span=12m per_second(inmbits) as in_Mbits, per_second(outmbits) as out_Mbits

But if I want to display multiple ifNames on the chart by changing ifName=* then adding by ifName on the timechart the results are completely inaccurate.

Am I doing something incorrectly or is there a better way of doing this?

Thanks for any help you can provide.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

timechart is not your problem, delta is. delta doesn't know how to do a delta field by otherfield, you need streamstats for that. Something like this:

... | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = ifHCInOctets - last_in | ...

Swap the eval around in case I accidentally gave you negative changes.

View solution in original post

matt4321
Explorer

This ended up working out perfect thank you very much.

If you don't mind please have a look at my final Search and let me know if you have a better/shorter way on making this work.

host=ohtwbgitxsg10 ifName=1/1 OR ifName=2/1 OR ifName=3/1 OR ifName=4/1 | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = last_in - ifHCInOctets | where in_change>=0 | eval in_mbits=in_change*8/1000/1000 | streamstats window=1 global=f current=f last(ifHCOutOctets) as last_out by ifName | eval out_change = last_out - ifHCOutOctets | where out_change>=0 | eval out_mbits=out_change*8/1000/1000 |   timechart span=12m per_second(in_mbits), per_second(out_mbits) by ifName
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could shorten the search string itself by using foreach around the streamstats | eval | where | eval. Those two sets of search commands only differ by "in" and "out", the rest is duplicate. That's not going to influence the execution much though.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

timechart is not your problem, delta is. delta doesn't know how to do a delta field by otherfield, you need streamstats for that. Something like this:

... | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = ifHCInOctets - last_in | ...

Swap the eval around in case I accidentally gave you negative changes.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...