n00badmin
commented
6 years ago Are you graphing network interfaces on your hosts? If so you should see rrdn=traffic_in & rrdn=traffic_out in the mirage_poller_output.log which splunk is ingesting
Closed netniV closed 5 years ago
n00badmin
commented
6 years ago Are you graphing network interfaces on your hosts? If so you should see rrdn=traffic_in & rrdn=traffic_out in the mirage_poller_output.log which splunk is ingesting
netniV
commented
6 years ago Yeah I'm graphing them. I have just run index=cacti | stats count(host) by rrdn
And that has shown that there are entries for "traffic_in" and "traffic_out" so I will try and query for rrdv again them again.
netniV
commented
6 years ago index=cacti rrdn=traffic_in | timechart min(rrdv) as Minimum, max(rrdv) as Maximum , avg(rrdv) as Average by hostname limit 0
That gives me stats as I would expect. The values are super high because they are in kilo/megabytes so need to be scaled somehow. If I was to graph this properly, I'd want the max of both traffic_in and traffic_out I think to get a proper idea of throughput (average could work but would rather over estimate it).
So, I need to figure out how to combine, traffic_in max values with traffic_out max values and rotate, since there will be far more hosts than timeslots. Since both searches use the same column, then I can't just simply say max(rrdv), it needs to be rrdv of only one of the rrdn's.
n00badmin
commented
6 years ago Actually, you need to account for the fact that the traffic counters are raw counters. I believe we do that in the quick chart with streamstats. You can use the ‘open in search’ once u have constructed a network graph to see how we did it. (hint streamstats range function)
come join us in the splunk community slack chat and I can assist you in realtime: http://splk.it/slack
n00badmin
commented
6 years ago im @mattymo on the chat fyi
netniV
commented
6 years ago I'll catch up with you next week. Not in the office to work on this until then.
netniV
commented
6 years ago I finally got around to signing up. Presume I will need to wait for a response though.
n00badmin
commented
6 years ago Hey @netniV did you get your chat access?
I have managed to get the link working between mirage and splunk. For ping latency data, I can see this with the following query:
index=cacti sourcetype="cacti:mirage" rrdn=ping | sort max(rrdv) | timechart max(rrdv) by hostname limit=0
I'm trying to get the same data out for network interfaces, where the cacti values are traffic_in and traffic_out, but I seem to be unable to locate any data for this.