Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cannot get timechart to show correct results using by "ifName"

matt4321
Explorer
‎09-14-2014 01:10 PM

Using the below search works when I only specify a single ifName.

host=ohtwbgitxsg10 ifName=1/1 | sort _time | delta ifHCInOctets as in_change | delta ifHCOutOctets as out_change | where in_change>=0 | where out_change>=0 | eval inmbits=(in_change*8/1000/1000) | eval outmbits=(out_change*8/1000/1000) | timechart span=12m per_second(inmbits) as in_Mbits, per_second(outmbits) as out_Mbits

But if I want to display multiple ifNames on the chart by changing ifName=* then adding by ifName on the timechart the results are completely inaccurate.

Am I doing something incorrectly or is there a better way of doing this?

Thanks for any help you can provide.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-14-2014 01:58 PM

timechart is not your problem, delta is. delta doesn't know how to do a delta field by otherfield, you need streamstats for that. Something like this:

... | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = ifHCInOctets - last_in | ...

Swap the eval around in case I accidentally gave you negative changes.

View solution in original post

Reply
Solved! Jump to solution

matt4321
Explorer
‎09-16-2014 08:01 PM

This ended up working out perfect thank you very much.

If you don't mind please have a look at my final Search and let me know if you have a better/shorter way on making this work.

host=ohtwbgitxsg10 ifName=1/1 OR ifName=2/1 OR ifName=3/1 OR ifName=4/1 | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = last_in - ifHCInOctets | where in_change>=0 | eval in_mbits=in_change*8/1000/1000 | streamstats window=1 global=f current=f last(ifHCOutOctets) as last_out by ifName | eval out_change = last_out - ifHCOutOctets | where out_change>=0 | eval out_mbits=out_change*8/1000/1000 |   timechart span=12m per_second(in_mbits), per_second(out_mbits) by ifName
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-17-2014 12:49 AM

You could shorten the search string itself by using foreach around the streamstats | eval | where | eval. Those two sets of search commands only differ by "in" and "out", the rest is duplicate. That's not going to influence the execution much though.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-14-2014 01:58 PM

timechart is not your problem, delta is. delta doesn't know how to do a delta field by otherfield, you need streamstats for that. Something like this:

... | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = ifHCInOctets - last_in | ...

Swap the eval around in case I accidentally gave you negative changes.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...