Hello everyone,

I am new to Splunk and learning the ropes. I am stuck on a query I am trying setup. I have SNMP data coming in and I am trying to measure traffic in Mbps or Kbps. SNMP uses a continuous bit counter which continuous adding traffic to a total sum. In order to get Mbps I have to use the following calculation:
((Current_Value - Previous Value) / (current_time - previous_time)) and then convert bytes to Mbps. This is working fine, however I want to be able to do this "foreach" interface for a dashboard. Right now when I use a wildcard for interface name it breaks, because the delta calculation doesn't always use the same interface.

index=sample name="interfaces" ifName="ethernet1/1"
| where bytes_in!=0
| sort _time
| delta _time AS time_delta
| delta bytes_in AS delta_bytes_in
| eval Kbps = (((delta_bytes+in *8 )/1000 / time_delta)
| eval Mbps = Kbps/1000
| table _time, Mbps

When I switch ifName="ethernet1/1" to  "ifName="*" this breaks. I was hoping to use foreach to iterate over each interface, but do not know how. Was hoping someone could help me with this 🙂