Splunk Search

Delta of overflowing counter for Bandwidth measurement

splunkbeginner2
Path Finder

Hey there,

today seems for me like the morning of many questions.

So I have an other problem: I want to measure the bandwidth with snmp. The Router returns an 32bit counter for octets of bits transmitted. At some very powerful connections this results in that point, that this counter reaches it ends and starts at is negative value again.. this is quite bad, because it destroys my hole graph (every few seconds you have this drop and the real rising isn't visible anymore).
The graph should display the difference of that counter to the counter of the event before. Therefore I am using the |delta command to get the difference to the last one. How could I create an query that is failure safe of filter such events out?

index=snmp source="MyConnection"| sort 0 _time |delta IfInOctets as in|timechart sum(in) 

(It would be great, if you could offer a performant solution, but anything that works helps).
Anyway: Thank you for your support!

Regards,
Xantor

0 Karma
1 Solution

aweitzman
Motivator

Maybe something like this?

index=snmp source="MyConnection" | sort 0 _time | delta IfInOctets as in | eval max=pow(2,32) | eval min=0 | eval in_corrected=if(in<0,max-min+in,in) | timechart sum(in_corrected)

(You can leave out the eval max and eval min clauses and just plug the numbers directly into the "then" clause of the if statement if you want - I just did it this way here for readability purposes.)

This is not fail-safe because it cannot take into account the situation where the delta is in reality greater than max, because that reality cannot be reflected in the statistics you're gathering. But except for that caveat, this might be your best shot.

View solution in original post

dpaupore
New Member

also look at 1.3.6.1.2.1.31.1.1.1 mib. It has a 64 bit counter for the interface value, much less change.

0 Karma

splunkbeginner2
Path Finder

Thank you, I know about this, but not every device is able to return a 64bit Values. Some just have 32 bits...

0 Karma

aweitzman
Motivator

Maybe something like this?

index=snmp source="MyConnection" | sort 0 _time | delta IfInOctets as in | eval max=pow(2,32) | eval min=0 | eval in_corrected=if(in<0,max-min+in,in) | timechart sum(in_corrected)

(You can leave out the eval max and eval min clauses and just plug the numbers directly into the "then" clause of the if statement if you want - I just did it this way here for readability purposes.)

This is not fail-safe because it cannot take into account the situation where the delta is in reality greater than max, because that reality cannot be reflected in the statistics you're gathering. But except for that caveat, this might be your best shot.

splunkbeginner2
Path Finder

I meanwhile used a slightly different solution, but I think yours would even have been better. Thank you!

0 Karma

splunkbeginner2
Path Finder

Well. But dearly it produces false results. Each time the counter crosses the maximum, delta doesn't count "from old to max and from min to current". But thats, what it should do. Delta instead works and calculates: "Value short before max - X = Current value" and returns the X.
Unfortunately I need it somehow different.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The search is currently working right? Are you looking for alternatives to your 'delta' solution?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...