Splunk Search
Highlighted

Cannot get timechart to show correct results using by "ifName"

Explorer

Using the below search works when I only specify a single ifName.

host=ohtwbgitxsg10 ifName=1/1 | sort _time | delta ifHCInOctets as in_change | delta ifHCOutOctets as out_change | where in_change>=0 | where out_change>=0 | eval inmbits=(in_change*8/1000/1000) | eval outmbits=(out_change*8/1000/1000) | timechart span=12m per_second(inmbits) as in_Mbits, per_second(outmbits) as out_Mbits

But if I want to display multiple ifNames on the chart by changing ifName=* then adding by ifName on the timechart the results are completely inaccurate.

Am I doing something incorrectly or is there a better way of doing this?

Thanks for any help you can provide.

0 Karma
Highlighted

Re: Cannot get timechart to show correct results using by "ifName"

SplunkTrust
SplunkTrust

timechart is not your problem, delta is. delta doesn't know how to do a delta field by otherfield, you need streamstats for that. Something like this:

... | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = ifHCInOctets - last_in | ...

Swap the eval around in case I accidentally gave you negative changes.

View solution in original post

Highlighted

Re: Cannot get timechart to show correct results using by "ifName"

Explorer

This ended up working out perfect thank you very much.

If you don't mind please have a look at my final Search and let me know if you have a better/shorter way on making this work.

host=ohtwbgitxsg10 ifName=1/1 OR ifName=2/1 OR ifName=3/1 OR ifName=4/1 | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = last_in - ifHCInOctets | where in_change>=0 | eval in_mbits=in_change*8/1000/1000 | streamstats window=1 global=f current=f last(ifHCOutOctets) as last_out by ifName | eval out_change = last_out - ifHCOutOctets | where out_change>=0 | eval out_mbits=out_change*8/1000/1000 |   timechart span=12m per_second(in_mbits), per_second(out_mbits) by ifName
0 Karma
Highlighted

Re: Cannot get timechart to show correct results using by "ifName"

SplunkTrust
SplunkTrust

You could shorten the search string itself by using foreach around the streamstats | eval | where | eval. Those two sets of search commands only differ by "in" and "out", the rest is duplicate. That's not going to influence the execution much though.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.