Hi Splunk gurus.
I have a query problem thats been challenging me for a while.
When my polling breaks, or when counters reset to zero for whatever reason (i.e. the device i'm polling is rebooted) i get a situation like this (red shading = condition when broken, green = when polling resumes properly):
![alt text][1]
Soi basically get a HUUUUUUGE spike in my graphs which destroys the rest of the fidelity on the Y-axis scale. As so:
![alt text][2]
Any ideas how i can solve this condition at the splunk search / SPL layer? I dont believe ill be able to ever fix it at the device layer, so will need the dashboards to handle the condition and work around it somehow. Im sure im not the first to solve this problem, so didnt want to re-invent the wheel (a quick search of the forums couldnt help me).
heres my SPL for anyone that wants to copy/paste to give me a hand!.
Thanks all!
sourcetype=_json source="/Applications/Splunk/etc/apps/_kapp/bin/_KNETWORK/getPFSENSEstats.py"
| streamstats current=t global=f window=2
earliest(vtnet0BytesInPass) as lastBytesIn
latest(vtnet0BytesInPass) as currentBytesIn
earliest(vtnet0BytesOutPass) as lastBytesOut
latest(vtnet0BytesOutPass) as currentBytesOut
| eval mbpsIn =(currentBytesIn - lastBytesIn )*8/1024/1024/60
| eval mbpsOut =(currentBytesOut - lastBytesOut)*8/1024/1024/60
[1]: /storage/temp/274526-search-splunk-712-2019-08-29-12-47-511.png
[2]: /storage/temp/274527-bex36-pfsense-splunk-712-2019-08-29-12-48-551.png
↧