Using the below search works when I only specify a single ifName.
host=ohtwbgitxsg10 ifName=1/1 | sort _time | delta ifHCInOctets as in_change | delta ifHCOutOctets as out_change | where in_change>=0 | where out_change>=0 | eval inmbits=(in_change*8/1000/1000) | eval outmbits=(out_change*8/1000/1000) | timechart span=12m per_second(inmbits) as in_Mbits, per_second(outmbits) as out_Mbits
But if I want to display multiple ifNames on the chart by changing ifName=* then adding by ifName on the timechart the results are completely inaccurate.
Am I doing something incorrectly or is there a better way of doing this?
Thanks for any help you can provide.
timechart is not your problem,
delta doesn't know how to do a
delta field by otherfield, you need
streamstats for that. Something like this:
... | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = ifHCInOctets - last_in | ...
eval around in case I accidentally gave you negative changes.
This ended up working out perfect thank you very much.
If you don't mind please have a look at my final Search and let me know if you have a better/shorter way on making this work.
host=ohtwbgitxsg10 ifName=1/1 OR ifName=2/1 OR ifName=3/1 OR ifName=4/1 | streamstats window=1 global=f current=f last(ifHCInOctets) as last_in by ifName | eval in_change = last_in - ifHCInOctets | where in_change>=0 | eval in_mbits=in_change*8/1000/1000 | streamstats window=1 global=f current=f last(ifHCOutOctets) as last_out by ifName | eval out_change = last_out - ifHCOutOctets | where out_change>=0 | eval out_mbits=out_change*8/1000/1000 | timechart span=12m per_second(in_mbits), per_second(out_mbits) by ifName
You could shorten the search string itself by using
foreach around the
streamstats | eval | where | eval. Those two sets of search commands only differ by "in" and "out", the rest is duplicate. That's not going to influence the execution much though.