All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SNMP Modular Input Poller: What is the best way to log multi-dimensional data in a format that makes it easy to perform stats & timecharts?

joxley
Path Finder
‎10-06-2015 02:18 AM

I have built the snmpmod modular input for polling network interfaces and Cisco IPSLA statistics. I want to add support for QoS policy shaping. The problem is I don't know how best to represent the data in Splunk.

  • Each event (collected every 5 minutes) will be for one interface in one direction (in/out)
  • There are multiple QoS class maps such as REALTIME, IN-CONTRACT, etc (6 to 8 of them)
  • There are multiple statistics to collect, such as prePolicyBitRate, postPolicyBitRate, prePolicyPkt64, etc

For each class map there is a value for each statistic. The data would look like:

                        REALTIME    IN-CONTRACT   
   prePolicyBitRate         3546          48599   
   postPolicyBitRate      328477         854989   
   prePolicyPkt64            465           9950

How can I best represent the data in the Splunk event? My ideas so far have been:

<timestamp> interface=1 direction=in REALTIME.prePolicyBitRate=11234 REALTIME.postPolicyBitRate=5433

or

<timestamp> interface=1 direction=in REALTIME="prePolicyBitRate/11234" REALTIME="postPolicyBitRate/5433"

I'm not sure which format would make it easiest to perform stats & timecharts on.

Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2015 05:17 AM

I would split it apart even further if possible. For each type of class map, output an event. 

 <timestamp> interface=1 direction=in class_map=REALTIME prePolicyBitRate=11234 postPolicyBitRate=5433
 <timestamp> interface=1 direction=in class_map=IN-CONTRACT prePolicyBitRate=11234 postPolicyBitRate=5433

This makes search optimization much easier, as you can specify a class_map= in your search to limit the data you want without having to do complicated extractions. Clean and easy Key Value Pairs are the way to go.

If you can't split like this, then a JSON object approach might work well.

{ "timestamp" : <timestamp>, "direction" : "in", "realtime" : {  "prePolicyBitRate": 11234 }, "in-contract" : { "postPolicyBitRate" : 5433 } }

Or, the poor man's json:

<timestamp> interface=1 direction=in realtime.prepolicybitrate=11234 incontract.postpolicybitrate=5433

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2015 05:17 AM

I would split it apart even further if possible. For each type of class map, output an event. 

 <timestamp> interface=1 direction=in class_map=REALTIME prePolicyBitRate=11234 postPolicyBitRate=5433
 <timestamp> interface=1 direction=in class_map=IN-CONTRACT prePolicyBitRate=11234 postPolicyBitRate=5433

This makes search optimization much easier, as you can specify a class_map= in your search to limit the data you want without having to do complicated extractions. Clean and easy Key Value Pairs are the way to go.

If you can't split like this, then a JSON object approach might work well.

{ "timestamp" : <timestamp>, "direction" : "in", "realtime" : {  "prePolicyBitRate": 11234 }, "in-contract" : { "postPolicyBitRate" : 5433 } }

Or, the poor man's json:

<timestamp> interface=1 direction=in realtime.prepolicybitrate=11234 incontract.postpolicybitrate=5433
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...