• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 38 subscribers
  • Views 887 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SWQL on REST API for Interface stats

glenp42

I've put together some SWQL and have been querying that via Splunk to extract interface stats but I'm not getting the expected results.

My query is:

SELECT I.Node.Caption, I.IfName,

Avg(I.Traffic.OutAveragebps) AS [Avg Tx bps],
MAX(I.Traffic.OutMaxbps) AS [Max Tx bps],
MIN(I.Traffic.OutMinbps) AS [Min Tx bps],
Avg(I.Traffic.InAveragebps) AS [Avg Rx bps],
MAX(I.Traffic.InMaxbps) AS [Max Rx bps],
MIN(I.Traffic.InMinbps) AS [Min Rx bps]

FROM Orion.NPM.Interfaces I

WHERE (I.Node.Caption LIKE 'RT-%') AND (I.IfName Like 'Port-Ch%')


GROUP BY I.Node.Caption, I.IfName

And I'm getting data into Splunk, however it does't look as I expect.

Adding the RX+TX to get a basic throughput figure,  I'd expect something like:

glenp42_0-1598233013221.png

But what I'm actually getting is:

glenp42_1-1598233056460.png

Is there something wrong with my query, or is the data returned normalized over a period of time rather than a real-time figure the interface was observing?  

Any ideas how I can get real-time (or last polled) data?

Thank you

Glen.

  • 0
    Can't remember off the top of my head how to fix it in splunk but it looks like you have splunk pulling the value and summing it instead of treating it as a replacement value.
  • 0 in reply to mesverrum

    The numbers I get returned from my SWQL query don't get altered -- what I see is not much variation in the figures that I draw from the SWQL query even when I hit it with SWQl Studio so that's why I am concerned my query is not showing the latest poll, but rather the average from a time period which is what I and my Splunk contacts seem to think may be occurring.

    Should my SWQL query be showing Solarwind's latest poll information for the interfaces in question?

    Thank you

    Glen.

  • 0 in reply to glenp42

    Ah yeah, now that I'm at my desk at work I can see, you are averaging the historical data for the entire history of every interface every time you pull a sample.  That's not really productive for a chart like you are trying to build.  You should just be pulling the point in time values for inbps and outbps from orion.npm.interfaces if you are having splunk pull the data every 9 minutes or less. 

    If you have splunk pulling it less often than the interface polling interval (9m default) then you would just pull the data since your last splunk pull and do all your avg/min/max to that recent time slice.  So if you only query orion hourly then you use your existing query but filter it to the previous 60 min.

  • 0 in reply to mesverrum

    Marc,

    Thank you!  That was it.  Graphs looks much better now!

    Glen.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.