Solved: Delta of overflowing counter for Bandwidth measure...

splunkbeginner2 · ‎07-01-2014

Hey there,

today seems for me like the morning of many questions.

So I have an other problem: I want to measure the bandwidth with snmp. The Router returns an 32bit counter for octets of bits transmitted. At some very powerful connections this results in that point, that this counter reaches it ends and starts at is negative value again.. this is quite bad, because it destroys my hole graph (every few seconds you have this drop and the real rising isn't visible anymore).
The graph should display the difference of that counter to the counter of the event before. Therefore I am using the |delta command to get the difference to the last one. How could I create an query that is failure safe of filter such events out?

index=snmp source="MyConnection"| sort 0 _time |delta IfInOctets as in|timechart sum(in)

(It would be great, if you could offer a performant solution, but anything that works helps).
Anyway: Thank you for your support!

Regards,
Xantor

aweitzman · ‎07-09-2014

Maybe something like this?

(You can leave out the eval max and eval min clauses and just plug the numbers directly into the "then" clause of the if statement if you want - I just did it this way here for readability purposes.)

This is not fail-safe because it cannot take into account the situation where the delta is in reality greater than max, because that reality cannot be reflected in the statistics you're gathering. But except for that caveat, this might be your best shot.

View solution in original post

dpaupore · ‎07-11-2014

also look at 1.3.6.1.2.1.31.1.1.1 mib. It has a 64 bit counter for the interface value, much less change.

splunkbeginner2 · ‎07-16-2014

Thank you, I know about this, but not every device is able to return a 64bit Values. Some just have 32 bits...

aweitzman · ‎07-09-2014

Maybe something like this?

(You can leave out the eval max and eval min clauses and just plug the numbers directly into the "then" clause of the if statement if you want - I just did it this way here for readability purposes.)

This is not fail-safe because it cannot take into account the situation where the delta is in reality greater than max, because that reality cannot be reflected in the statistics you're gathering. But except for that caveat, this might be your best shot.

splunkbeginner2 · ‎07-16-2014

I meanwhile used a slightly different solution, but I think yours would even have been better. Thank you!

splunkbeginner2 · ‎07-01-2014

Well. But dearly it produces false results. Each time the counter crosses the maximum, delta doesn't count "from old to max and from min to current". But thats, what it should do. Delta instead works and calculates: "Value short before max - X = Current value" and returns the X.
Unfortunately I need it somehow different.

somesoni2 · ‎07-01-2014

The search is currently working right? Are you looking for alternatives to your 'delta' solution?

Delta of overflowing counter for Bandwidth measurement

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk