Splunk Search

Uptime Graph for Multiple Objects

TaylorWhitt
Explorer

I've searchs Splunk Answers and I have gotten two search strings, where if combined, would give me the results I would like.

The field values that I can get out of my search are like the following:

neighbor=D state_to=Down
neighbor=B state_to=Up
neighbor=D state_to=Up
neighbor=A state_to=Up
neighbor=B state_to=Down
neighbor=C state_to=Up
neighbor=A state_to=Down
neighbor=B state_to=Up
neighbor=A state_to=Up

Where capital letters are referencing an IP address.

* | eval upordown=if(state_to="Up ",+1,-1)| streamstats sum(upordown) as concurrency by neighbor | timechart max(concurrency) by neighbor

This one provides a graph for multiple interfaces with a color-coded key to the right that I can hover over, but shows unnecessary values. I honestly just want a line for each interface like a sparkline, but... more appealing.

src_ip="IPADDRESS" | transaction Uptime startswith=(state_to=Up) endswith=(state_to=Down)   | concurrency duration=duration  | timechart  avg(concurrency) as UpDown

this is perfect for a specific interface, but like the top one I want it to show multiple interfaces. I've been staring at this for 2x 12 hour shifts now, but I am not familiar with splunk's language and commands.

I was thinking of having a search just get a table of all interfaces at searchtime and (somehow) use the row number as the value for the graph line of each interface (that way each one is a separate line) and somehow cram all that in with the other two strings so if the interface is "Up", be the value of the row number and if it is down, multiply the filldown value by 0. I haven't gotten a search with filldown to work yet either hence why I didn't include it in the code above.

Can anyone help? I have a good feeling this is possible, I think I have just been staring at this too long.

Tags (3)
1 Solution

_d_
Splunk Employee
Splunk Employee

alt textUnclear as to what you're asking, but if you want to plot the state of each neighbor/interface over time then you can use this search (on your data):
| eval upordown=if(state_to="Up",10,-10) | timechart max(upordown) by neighbor | fillnull value=1

with Column visualization and Format with Multi-series Mode as "Yes". It should produce a chart as attached.

alt text

View solution in original post

_d_
Splunk Employee
Splunk Employee

alt textUnclear as to what you're asking, but if you want to plot the state of each neighbor/interface over time then you can use this search (on your data):
| eval upordown=if(state_to="Up",10,-10) | timechart max(upordown) by neighbor | fillnull value=1

with Column visualization and Format with Multi-series Mode as "Yes". It should produce a chart as attached.

alt text

TaylorWhitt
Explorer

It's not "exactly" what I was asking for, but I was unaware of the multi-series mode under format. Using the Area visualization and Multi-series mode format, the following search got me basically what I wanted.

state_to=* | transaction Uptime startswith=(state_to=Up) endswith=(state_to=Down)   | concurrency duration=duration  | timechart  max(concurrency) as UpDown by neighbor fixedrange=F span=5m

alt text
(hope this picture works)
I have tunnels that go up and down constantly. I didn't want anything to be drawn if the tunnel was down, but I wanted it to be easily recognizable if it was up, for the duration of it being up. At times, I have 20 tunnels up at one time, so this may not be great for when that happens... but if my boss doesn't like it, he can send me to training.

I appreciate your help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...