Hi,
I keep getting negative values on my chart when i run my search below.All I'm trying to do is calculate the bandwidth utilization from my switches to another. Put into consideration - assuming the switches are in different building location. I'' ll be glad if someone could help me out.
Here is my search below:
index=snmp  dst_device="mdf1"   src_device="mdf2"
| delta snmpIfInOctets as transferedIn|delta snmpIfOutOctets as transferedOut
|delta _time as period
| eval transferedBitsIn=transferedIn*8/period|eval transferedBitsOut=transferedOut*8/period| fields + _time, source, snmpIfSpeed, transferedBitsIn, transferedBitsOut| timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source
 
					
				
		
Why are you doing it with such discrete calculations? Why not do it in a much simpler and broader way, like this:
 index=snmp | eval link=if(src_device<dst_device, src_device, dst_device) . "<->" . if(src_device<dst_device, dst_device, src_device) | stats earliest(_time) AS firstTime latest(_time) AS lastTime sum(snmpIfInOctets) as InputBits sum(snmpIfOutOctets) as outputBits by link | eval TotalBytes = 8*(inputBits + outputBits) | eval Bandwidth=TotalBytes/(lastTime-firstTime)
This looks good by the the way . Is there a way to add a spark-line to show the bandwidth utilization for each link (src_device, dst_device)?
Oops, what about the bandwidth result? It wasn't used in your suggested search above?
 
					
				
		
The search that I gave you calculates a single bandwidth value for each "link" but you have to "use" it as you see fit (I don't know what your end goal is). As far as sparkline, you can do that like this:
index=snmp | eval link=if(src_device<dst_device, src_device, dst_device) . "<->" . if(src_device<dst_device, dst_device, src_device) | bucket _time span=1h | stats earliest(_time) AS firstTime latest(_time) AS lastTime sum(snmpIfInOctets) as InputBits sum(snmpIfOutOctets) as outputBits by link _time | eval TotalBytes = 8*(inputBits + outputBits) | eval Bandwidth=TotalBytes/(lastTime-firstTime) | stats sparkline(avg(Bandwidth),1h) as BandwidthPerHour
Hello Woodcook,
So, i tried the search you sent- But, there are no data or 
sparkline data coming up?
 
					
				
		
Your comment was truncated but the only way that I can see for it not to work is if you did not run it for more than an hour.  Try changing the 1h to 1m instead.
Same problem no report coming up on Splunk. Just data on the Events.
 
					
				
		
You should probably start over with a new question so that you can start with a concise description and so that more people will take a fresh look at it.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		if you want to search more than an hour use 1mon instead of 1m - m is for minutes http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Specifytimemodifiersinyoursearch#Specify_re...
 
					
				
		
Too many deltas. Each event already has the bytes transferred; you just need how long it took. Try this:
index=snmp dst_device="mdf1" src_device="mdf2" |delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source
Hi Woodcook,
Thanks for the feedback. I think we are almost there. But, for some reason I keep getting this error message whenever I try to populate my graph when running the search over 7 days or 30 days : See below
These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached.
Also, why do I get negative value for each link ? I'm more concerned about getting the aggregate bandwidth usage over 30 days .
 
					
				
		
I don't know what you mean by each link but if all of your values are negative, you can fix it by reversing the events like this:
index=snmp dst_device="mdf1" src_device="mdf2" |reverse | delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source
As far as the truncatoin warning, it is just as it says: you need to be sure to limit the number of points on the graph to < 1000.  To do this, you need to enlarge your timechart from span=10m to something like span=1h (or maybe even larger for 30 days).  If you need aggregate, why are you using timechart?  Why are you not generating a single value like this with stats?
index=snmp dst_device="mdf1" src_device="mdf2" |reverse | delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | stats sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source
So, this is what I'm trying to achieve : I want o calculate the aggregate bandwidth(xxGB/s) for each link (for instance A1-MDF1 -> B2-MDF1) .so, i can evaluate a 30 days 95th percent utilization on each link ( like A1-MDF1 -> B2-MDF1) . Hope that helps.
Hi somesoni2,
here a line of my log file from one of my switches :
1199999: Jul 29 22:33:01: %SEC-1-IP------: list VLAN64_RS_Out permitted udp (TenGigabitEthernet5/1 ) -> (port number), 1 packet
 
					
				
		
Could you provide some sample logs on how your events looks like?
