Refine your search:

Calculate same event in two different times

1

Hi,

I am new two splunk. I am wondering is there a way to calculate the delta of RXdropped from 5 minutes apart.

10:50:00 RXdropped 123

10:55:00 RXdropped 456

asked 09 Nov '11, 10:02

tdnguyen1's gravatar image

tdnguyen1
212
accept rate: 0%

2 Answers:
oldestnewestmost voted
1

I did this it seems to work for now.

index=os sourcetype="interfaces" host="prdcg4mdbl03.oss.prd" | multikv | eval PercError_PacketLoss=round(((Error * 100)/(RXbytes+TXbytes)),1) | eval StatusError = if(PercError_PacketLoss >= 1.0, "WARNING", "OK") | eval PercRX_PacketLoss=round(((RXdropped * 100)/RXbytes),1) | eval PercTX_PacketLoss=round(((TXdropped * 100)/TXbytes),1) | eval StatusRX = if(PercRX_PacketLoss >= 1.0, "WARNING", "OK") | eval StatusTX = if(PercTX_PacketLoss >= 1.0, "WARNING", "OK") | table time Name StatusError PercError_PacketLoss StatusRX PercRX_PacketLoss StatusTX PercTX_PacketLoss

link

answered 09 Nov '11, 13:30

tdnguyen1's gravatar image

tdnguyen1
212
accept rate: 0%

0

Hello! Welcome to Splunk!

If you download the *NIX App, you'll find there is a dashboard for network traffic. Here's the link: Splunk for Unix and Linux on Splunkbase

This is the search that the *nix app uses:

index="os" sourcetype="interfaces" host=*  | multikv fields name, inetAddr, RXbytes, TXbytes  | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name   | eval time=_time  | strcat Name "-" inetAddr "@" host Interface_Host  | eval RX_Thruput = lastRX-RXbytes  | eval TX_Thruput = lastTX-TXbytes  | timechart eval(sum(TX_Thruput)/dc(time)) by Interface_Host

In the "streamstats" function, it's creating two new fields: last(Txbytes) as lastTX, and last(Rxbytes) as lastRX. Later it subtracts the last value from the current value with: Eval RX_Thruput=lastRX-Rxbytes

The last() function gets the most recent value of a field and adds it to the current event. Remember that the default order of events in Splunk is reverse chronological order, so when an event gets the "last" value of a field it's getting it from a later time, so subtracting the "current" value from the "last" value give us the difference, which is the throughput for the period.

Best regards, Jon

link

answered 09 Nov '11, 10:27

Jon%20Webster's gravatar image

Jon Webster
24315
accept rate: 41%

edited 09 Nov '11, 10:34

Hi Jon,

Thanks for your fast response. I really appreciated that. The result is not what I expected. I am looking for the delta. Something like this.

456 - 123 = 333

(09 Nov '11, 11:23) tdnguyen1

For some reasons, I could not get the right result using your query.

(09 Nov '11, 13:30) tdnguyen1

It is calculating the delta. This eval statement subtracts Rxbytes from lastRX and assigns the result to RX_Thruput. 

eval RX_Thruput=lastRX-Rxbytes

In other words:

lastRX (456) - Rxbytes (123) = RX_Thruput (333)

It's not using RXdropped, but if you use RXdropped you'll get the results you want.

(09 Nov '11, 15:25) Jon Webster
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×500

Asked: 09 Nov '11, 10:02

Seen: 617 times

Last updated: 09 Nov '11, 15:26

Related questions

Different TimeRangePicker values for different reports in same app

Same fields with different values in one event

Display response times for two different webservices in the same timechart

Calculate difference in event counts and trigger alert if > 1

Show what's different of two searches / events

Extract the same field two different ways

Send same event to different indexer and index

Is it possible to extract the date from two different spots in the same sourcetype?

Copyright © 2005-2012 Splunk Inc. All rights reserved.