Aplogies, I'm not a Splunk administrator, I'm a capacity tool person that needs to extract some metrics from Splunk.
Mostly I'm doing fine, but this one has me stumped. I'm trying to collect network throughput data from F5 firewalls.
This is my search query:
| tstats
first(all.clientside_bytes_in)
from datamodel="bigip-tmstats-virtual_server_stat"
by
host
all.name
_time
span=5m
| rename first(all.*) as * all.* as *
| `abs_to_rate("host name", "clientside_bytes_in")`
| sort host,name,_time
| fields host,name,_time, clientside_bytes_in, clientside_bytes_in_rate
I get network throughput data at a 5 minute rate at a host,name level, and the data looks correct.
But I need to roll that up and have it just at 'host' level as host,name is too granular. I can't get it to work, when I take 'name' out of the query the results don't make any sense. How do return data at a host level, summing all of the name level data into one result per 5 minute?
↧