Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Display peak usage over time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi 🙂
We are using Splunk 5.0.2 and have a requirement to show peak bandwidth usage over time.
Here is the search that we are using over the Last 30 days:
index=mediacap ( hostname="cha-cdn6506-*" OR hostname="cht-cdn6506-*" ) ( metric="ifInOctets_Port-channel10" OR metric="ifInOctets_Port-channel11" )
| eval metric=hostname.":".metric
| streamstats current=t global=f window=2 earliest(value) as curr latest(value) as next by metric
| eval delta=next-curr
| eval inkilobits=(delta*8/1000/1000/1000)
| timechart span=5m per_second(inkilobits) as in_kbps useother=f limit=0 by metric
| addtotals *Octets*
| fields + Total
| timechart span=1d max(Total) as Usage
It shows a line graph of peak usage with a span of 1 day between data points, however splunk displays those data points snapped to midnight (ie. beginning of each day).
Is it possible to show the actual time in a day or hour that a peak occurred? Could it be put in a table and/or on the chart?
Thanks in advance,
Luke 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yip.
If you want the values in a table, here's an example :
earliest=-7d@d
| bin _time span=5m
| stats count as eps by _time
| eval day=_time
| bin day span=1d
| eventstats max(eps) as peak_eps by day
| where eps==peak_eps
| fields - day eps
If you want to plot this, add :
| eval date_string=strftime(_time,"%d/%m/%y %H:%M:00")
| chart first(eps) by date_string
There's no way to display 5 minute chunks over 30 days, so you have to resort to using chart instead of timechart.
If the date strings on the X axis look ugly, and this is going in a dashboard, I answered a question recently about word-wrapping / truncation for axis labels.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yip.
If you want the values in a table, here's an example :
earliest=-7d@d
| bin _time span=5m
| stats count as eps by _time
| eval day=_time
| bin day span=1d
| eventstats max(eps) as peak_eps by day
| where eps==peak_eps
| fields - day eps
If you want to plot this, add :
| eval date_string=strftime(_time,"%d/%m/%y %H:%M:00")
| chart first(eps) by date_string
There's no way to display 5 minute chunks over 30 days, so you have to resort to using chart instead of timechart.
If the date strings on the X axis look ugly, and this is going in a dashboard, I answered a question recently about word-wrapping / truncation for axis labels.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! Thanks John!!!
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
