Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Group by field / table

ross_warren
New Member
‎03-03-2014 12:16 PM

Hi,
I am grabbing interface errors from Cisco routers (via snmpget) that form a distinct path through the network. I want to present them in the same order of the path..

if I dedup the path_order, it works, but not over any period of time.. I want to be able to group the whole path (defined by path_order) (1-19) and display this "table" over time.

index=interface_path sourcetype=interface_errors | dedup path_order| table _time,host_name, ifName,ifOutDiscards,ifOutErrors,ifInDiscards,ifInErrors path_order | sort path_order

Sample of data output (formatting might not be screwy)(host_name field removed for sample data)



_time               ifName           ifOutDiscards  ifOutErrors ifInDiscards ifInErrors path_order

2014-03-03 20:00:00 GigabitEthernet0/0   11508          0       0            0      1

2014-03-03 20:00:03 FastEthernet5/1  5471           30595       0            1      2

2014-03-03 20:00:13 POS2/0           3          0       4            13044      3

2014-03-03 20:00:24 POS2/0           674            0       14           368866     4

Does this make sense? I could be going about this wrong.. Looking for suggestions!

I would love to be able to make a sparkline for each Error and Discard field showing errors over time on one table/chart. But i think i need to figure out the grouping first..

Thanks,
Ross Warrren

0 Karma
Reply

somesoni2
Revered Legend
‎03-03-2014 02:23 PM

Assuming that within a 10 min period, there are only one event/entry with one path_order (since the cron job runs every 10 min, there will be one set of entries every 10 min.), try this:

 index=interface_path sourcetype=interface_errors | eval orig_time=_time | bucket span=10m _time  | stats first(orig_time) as orig_time ,first(host_name) as host_name, first(ifName) as ifName,first(ifOutDiscards) as ifOutDiscards,first(ifOutErrors) as ifOutErrors,first(ifInDiscards) as ifInDiscards,first(ifInErrors) as ifInErrors  by path_order,_time | table orig_time,host_name, ifName,ifOutDiscards,ifOutErrors,ifInDiscards,ifInErrors, path_order | sort orig_time, path_order
0 Karma
Reply

ross_warren
New Member
‎03-03-2014 02:32 PM

Wow.. At first cut and paste this looks great! wow.. Thank you somesoni2! Need to take the time to understand what is going on now.. Give me a day to check it out!

WOWOWW!

0 Karma
Reply

ross_warren
New Member
‎03-03-2014 01:22 PM

Pathorder repeats 1-19, there will not be multiple events in the same 5 min period with the same pathorder number. clear as mud?

It takes about 5 min to get the data from all the routers and the cron job runs every 10 minutes.

side note: If any wants some snmpget/walk scripts.. Willing to share..

Thanks, Ross Warren

0 Karma
Reply

somesoni2
Revered Legend
‎03-03-2014 01:14 PM

Will there be multiple events with same path_order? Will path_order set 1-19 repeats for different calls?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...