Splunk Search

How to do a basic plot of network traffic by minute?

jwalzerpitt
Influencer

I'm trying to do a basic plot of network traffic (bps) by minute over three days. I uploaded a .csv file that has the following values (table below): Date/Time, Inbound Traffic (bps), and Outbound Traffic (bps).

I assume timechart would be the way to go, but is there an alternative to using count with timechart? Would xyseries be better for this?

Thx

Date/Time Inbound Traffic (bps) Outbound Traffic (bps)
2/6/2015 9:05 5041.333333 16797.2
2/6/2015 9:06 81465.06667 46898.13333
2/6/2015 9:07 75185.86667 39628.4
2/6/2015 9:08 63014.26667 36598.53333
2/6/2015 9:09 59666.53333 33969.2
2/6/2015 9:10 59962.66667 34255.86667
2/6/2015 9:11 58208.8 33594.13333
2/6/2015 9:12 58009.73333 32810
2/6/2015 9:13 57551.6 31079.86667
2/6/2015 9:14 58302.8 32979.33333
2/6/2015 9:15 55626.8 32290.26667
2/6/2015 9:16 57272.93333 30226.66667
2/6/2015 9:17 52814.26667 28473.46667
2/6/2015 9:18 50604.66667 24304.13333

1 Solution

jtrucks
Splunk Employee
Splunk Employee

I put your file into an index to test this and used:

source="215776.csv" index="answers" | eval Bandwidth=Inbound+Outbound | timechart span=1m values(Inbound) as "Inbound Traffic (bps)",values(Outbound) as "Outbound Traffic (bps)",values(Bandwidth) as "Total Bandwidth (bps)"

Which resulted in:

alt text

Is this what you need?

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks
Splunk Employee
Splunk Employee

I put your file into an index to test this and used:

source="215776.csv" index="answers" | eval Bandwidth=Inbound+Outbound | timechart span=1m values(Inbound) as "Inbound Traffic (bps)",values(Outbound) as "Outbound Traffic (bps)",values(Bandwidth) as "Total Bandwidth (bps)"

Which resulted in:

alt text

Is this what you need?

--
Jesse Trucks
Minister of Magic

jtrucks
Splunk Employee
Splunk Employee

Got it! I used double quotes in the eval above not single quotes. I apologize for that error. Double quotes make for a literal string interpretation, whereas single quotes interprets the contents as a field name.

Therfore, try this:
source="sw_report_flow_02_09_15.csv" index="answers" | eval Bandwidth='Inbound Traffic _bps'+'Outbound Traffic _bps' | timechart span=1m values("Inbound Traffic _bps") as Inbound,values("Outbound Traffic _bps") as Outbound,values(Bandwidth) as Bandwidth

I get this:

alt text

I, also, set the chart to display NULL values as zero, hence the flat line at the bottom that shoots up on the right when there is data again.

( If your settings truncate results, see http://answers.splunk.com/answers/73745/max-data-points-that-charts-can-handle.html )

--
Jesse Trucks
Minister of Magic

jwalzerpitt
Influencer

Jesse, awesome - thx a million for your help and patience! Greatly appreciated!

0 Karma

jwalzerpitt
Influencer
0 Karma

jtrucks
Splunk Employee
Splunk Employee

Can you put the file somewhere and provide a URL? I think the image link only works with images.

--
Jesse Trucks
Minister of Magic
0 Karma

jwalzerpitt
Influencer

I'm actually using the Attachment link, and when I click on 'edit' for the one posting that lists the two files, I actually see the file attached, which is confusing as to why it's not actually being posted.

0 Karma

jwalzerpitt
Influencer

I think I figured it out. I attach the file and then after it's uploaded, I dragged the file into the body of the text and was able to click on it and download the file. Hope this works for you. Thx for sticking through this!

0 Karma

jwalzerpitt
Influencer

File attached - please try this

0 Karma

jtrucks
Splunk Employee
Splunk Employee

No file attached. It looks like maybe an error in the filename?

--
Jesse Trucks
Minister of Magic
0 Karma

jwalzerpitt
Influencer

My bad - wasn't seeing the upload option when replying to a message. Needed to add an answer to see the option. Screenshot below:

alt text

0 Karma

jtrucks
Splunk Employee
Splunk Employee

I only had the subset of data you posted in the question, so the charts might not look the same.

My table results driving the chart are:

alt text

--
Jesse Trucks
Minister of Magic
0 Karma

jwalzerpitt
Influencer

Thx for the great info. That is exactly what I wanted, however, I had to modify my search as such:

| eval Bandwidth=Inbound+Outbound | timechart span=1m values("Inbound Traffic _bps") as "Inbound" ,values("Outbound Traffic _bps") as "Outbound"

With that, I'm seeing a different result than you got. How can I post a screenshot?

Thx

0 Karma

jtrucks
Splunk Employee
Splunk Employee

You can save the screenshot, then click the little square Polaroid looking icon on the edit bar above the text entry box.

I suspect since you have different field names, you need to change the eval statement to:

... | eval Bandwidth="Inbound Traffic _bps" + "Outbound Traffic _bps" | ...
--
Jesse Trucks
Minister of Magic
0 Karma

jwalzerpitt
Influencer

Missed that first eval statement - thx

New search query:
| eval Bandwidth="Inbound Traffic _bps" + "Outbound Traffic _bps"| timechart span=1m values("Inbound Traffic _bps") as "Inbound" ,values("Outbound Traffic _bps") as "Outbound" values(Bandwidth) as "Total Bandwidth (bps)"

What do I enter for the image URL?

Thx again

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Just choose "upload" and the Answers app will use a local image you've uploaded.

--
Jesse Trucks
Minister of Magic
0 Karma

TaylorWhitt
Path Finder

I think timechart is the way to go. Otherwise you may run into plotting issues with the date time field.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/ChartDisplayissues

You're not really asking how to plot it in a specific way, but the documentation is really useful. I would play around with the different values you can use.

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Timechart#Examples

jwalzerpitt
Influencer

Thx for the info

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...