Splunk Search
Highlighted

How to do a basic plot of network traffic by minute?

Motivator

I'm trying to do a basic plot of network traffic (bps) by minute over three days. I uploaded a .csv file that has the following values (table below): Date/Time, Inbound Traffic (bps), and Outbound Traffic (bps).

I assume timechart would be the way to go, but is there an alternative to using count with timechart? Would xyseries be better for this?

Thx

Date/Time Inbound Traffic (bps) Outbound Traffic (bps)
2/6/2015 9:05 5041.333333 16797.2
2/6/2015 9:06 81465.06667 46898.13333
2/6/2015 9:07 75185.86667 39628.4
2/6/2015 9:08 63014.26667 36598.53333
2/6/2015 9:09 59666.53333 33969.2
2/6/2015 9:10 59962.66667 34255.86667
2/6/2015 9:11 58208.8 33594.13333
2/6/2015 9:12 58009.73333 32810
2/6/2015 9:13 57551.6 31079.86667
2/6/2015 9:14 58302.8 32979.33333
2/6/2015 9:15 55626.8 32290.26667
2/6/2015 9:16 57272.93333 30226.66667
2/6/2015 9:17 52814.26667 28473.46667
2/6/2015 9:18 50604.66667 24304.13333

Highlighted

Re: How to do a basic plot of network traffic by minute?

Explorer

I think timechart is the way to go. Otherwise you may run into plotting issues with the date time field.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/ChartDisplayissues

You're not really asking how to plot it in a specific way, but the documentation is really useful. I would play around with the different values you can use.

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Timechart#Examples

Highlighted

Re: How to do a basic plot of network traffic by minute?

Motivator

Thx for the info

0 Karma
Highlighted

Re: How to do a basic plot of network traffic by minute?

Splunk Employee
Splunk Employee

I put your file into an index to test this and used:

source="215776.csv" index="answers" | eval Bandwidth=Inbound+Outbound | timechart span=1m values(Inbound) as "Inbound Traffic (bps)",values(Outbound) as "Outbound Traffic (bps)",values(Bandwidth) as "Total Bandwidth (bps)"

Which resulted in:

alt text

Is this what you need?

View solution in original post

Highlighted

Re: How to do a basic plot of network traffic by minute?

Motivator

Thx for the great info. That is exactly what I wanted, however, I had to modify my search as such:

| eval Bandwidth=Inbound+Outbound | timechart span=1m values("Inbound Traffic _bps") as "Inbound" ,values("Outbound Traffic _bps") as "Outbound"

With that, I'm seeing a different result than you got. How can I post a screenshot?

Thx

0 Karma
Highlighted

Re: How to do a basic plot of network traffic by minute?

Splunk Employee
Splunk Employee

You can save the screenshot, then click the little square Polaroid looking icon on the edit bar above the text entry box.

I suspect since you have different field names, you need to change the eval statement to:

... | eval Bandwidth="Inbound Traffic _bps" + "Outbound Traffic _bps" | ...
0 Karma
Highlighted

Re: How to do a basic plot of network traffic by minute?

Motivator

Missed that first eval statement - thx

New search query:
| eval Bandwidth="Inbound Traffic _bps" + "Outbound Traffic _bps"| timechart span=1m values("Inbound Traffic _bps") as "Inbound" ,values("Outbound Traffic _bps") as "Outbound" values(Bandwidth) as "Total Bandwidth (bps)"

What do I enter for the image URL?

Thx again

0 Karma
Highlighted

Re: How to do a basic plot of network traffic by minute?

Splunk Employee
Splunk Employee

Just choose "upload" and the Answers app will use a local image you've uploaded.

0 Karma
Highlighted

Re: How to do a basic plot of network traffic by minute?

Motivator

My bad - wasn't seeing the upload option when replying to a message. Needed to add an answer to see the option. Screenshot below:

alt text

0 Karma
Highlighted

Re: How to do a basic plot of network traffic by minute?

Splunk Employee
Splunk Employee

I only had the subset of data you posted in the question, so the charts might not look the same.

My table results driving the chart are:

alt text

0 Karma