All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SNMP Modular Input Poller: What is the best way to log multi-dimensional data in a format that makes it easy to perform stats & timecharts?

joxley
Path Finder
‎10-06-2015 02:18 AM

I have built the snmpmod modular input for polling network interfaces and Cisco IPSLA statistics. I want to add support for QoS policy shaping. The problem is I don't know how best to represent the data in Splunk.

  • Each event (collected every 5 minutes) will be for one interface in one direction (in/out)
  • There are multiple QoS class maps such as REALTIME, IN-CONTRACT, etc (6 to 8 of them)
  • There are multiple statistics to collect, such as prePolicyBitRate, postPolicyBitRate, prePolicyPkt64, etc

For each class map there is a value for each statistic. The data would look like:

                        REALTIME    IN-CONTRACT   
   prePolicyBitRate         3546          48599   
   postPolicyBitRate      328477         854989   
   prePolicyPkt64            465           9950

How can I best represent the data in the Splunk event? My ideas so far have been:

<timestamp> interface=1 direction=in REALTIME.prePolicyBitRate=11234 REALTIME.postPolicyBitRate=5433

or

<timestamp> interface=1 direction=in REALTIME="prePolicyBitRate/11234" REALTIME="postPolicyBitRate/5433"

I'm not sure which format would make it easiest to perform stats & timecharts on.

Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2015 05:17 AM

I would split it apart even further if possible. For each type of class map, output an event. 

 <timestamp> interface=1 direction=in class_map=REALTIME prePolicyBitRate=11234 postPolicyBitRate=5433
 <timestamp> interface=1 direction=in class_map=IN-CONTRACT prePolicyBitRate=11234 postPolicyBitRate=5433

This makes search optimization much easier, as you can specify a class_map= in your search to limit the data you want without having to do complicated extractions. Clean and easy Key Value Pairs are the way to go.

If you can't split like this, then a JSON object approach might work well.

{ "timestamp" : <timestamp>, "direction" : "in", "realtime" : {  "prePolicyBitRate": 11234 }, "in-contract" : { "postPolicyBitRate" : 5433 } }

Or, the poor man's json:

<timestamp> interface=1 direction=in realtime.prepolicybitrate=11234 incontract.postpolicybitrate=5433

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2015 05:17 AM

I would split it apart even further if possible. For each type of class map, output an event. 

 <timestamp> interface=1 direction=in class_map=REALTIME prePolicyBitRate=11234 postPolicyBitRate=5433
 <timestamp> interface=1 direction=in class_map=IN-CONTRACT prePolicyBitRate=11234 postPolicyBitRate=5433

This makes search optimization much easier, as you can specify a class_map= in your search to limit the data you want without having to do complicated extractions. Clean and easy Key Value Pairs are the way to go.

If you can't split like this, then a JSON object approach might work well.

{ "timestamp" : <timestamp>, "direction" : "in", "realtime" : {  "prePolicyBitRate": 11234 }, "in-contract" : { "postPolicyBitRate" : 5433 } }

Or, the poor man's json:

<timestamp> interface=1 direction=in realtime.prepolicybitrate=11234 incontract.postpolicybitrate=5433
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...