Timelion and split with an if statement help

Elastic Stack Kibana
1

Hi

I am looking for some help and not sure if I am doing it right or if it's possible so here I go on my problem.

I am monitoring a switch interfaces with netconf/python and storing the values into ES. Then using timelion to show the bandwidth for the interfaces. See below the query has been shorted to make this easier.
fields:

nc_name = GigabitEthernet1/0/11
nc_in-octets = integer type long
nc_admin-status: UP or DOWN 
more fields in the doc than this.

Query

.es(index=nc_interface_stats-*,metric=avg:nc_in-octets,q='_exists_:nc_in-octets AND nc_admin-status:UP AND nc_port-speed : "SPEED_1GB"',timefield=@timestamp,split=nc_name.keyword:3).derivative()

This works well until I try and put in threshold when the value is great then some value in the graph for that interface that crossed the threshold.

.es(index=nc_interface_stats-*,metric=avg:nc_in-octets,q='_exists_:nc_in-octets AND nc_admin-status:UP AND nc_port-speed : "SPEED_1GB"',timefield=@timestamp,split=nc_name.keyword:3).derivative(), .es(index=nc_interface_stats-*,metric=avg:nc_in-octets,q='_exists_:nc_in-octets AND nc_admin-status:UP AND nc_port-speed : "SPEED_1GB"',timefield=@timestamp,split=nc_name.keyword:3).derivative().if(gt,40000000,.es(index=nc_interface_stats-*,metric=avg:nc_in-octets,q='_exists_:nc_in-octets AND nc_admin-status:UP AND nc_port-speed : "SPEED_1GB"',timefield=@timestamp,split=nc_name.keyword:3).derivative(),null).color(color=yellow)

What I get is threshold value showed on the split first interface for all the interfaces in the split. I hope the screenshots are better at showing what I mean than me.

Screen Shot 2020-05-27 at 1.39.19 pm
Screen Shot 2020-05-27 at 1.39.19 pm3748×2058 652 KB

Screen Shot 2020-05-27 at 1.39.35 pm
Screen Shot 2020-05-27 at 1.39.35 pm3750×2014 526 KB

I got this one working but now not sure it is or I am lucky that the first interfaces in the split is then one crossing the threshold.

Screen Shot 2020-05-27 at 1.50.21 pm
Screen Shot 2020-05-27 at 1.50.21 pm4226×1988 392 KB

2

Hi

Is this not clear on what I am trying to do. Or is it that easy I have miss it completely.

Ben

3

So I have done a little more digging into this and it looks like split in the if statement is only doing it on the first value. See screenshot below.

Screen Shot 2020-06-03 at 11.20.59 am
Screen Shot 2020-06-03 at 11.20.59 am2061×1279 324 KB

Is this the behaviour I should be seeing in the if statement below. Or is my if statement wrong.

.es(index=nc_interface_stats-*,metric=avg:nc_in-octets,q='_exists_:nc_in-octets AND nc_port-speed:SPEED_1GB AND nc_admin-status:UP NOT nc_name:"GigabitEthernet1/0/15" AND NOT nc_name:"GigabitEthernet1/0/11"',split=nc_hardware-port.keyword:5).derivative().fit(mode=carry).divide(divisor=60), .es(index=nc_interface_stats-*,metric=avg:nc_in-octets,q='_exists_:nc_in-octets AND nc_port-speed:SPEED_1GB AND nc_admin-status:UP NOT nc_name:"GigabitEthernet1/0/15" AND NOT nc_name:"GigabitEthernet1/0/11"',split=nc_name.keyword:5).derivative().fit(mode=carry).divide(divisor=60).fit(mode=carry).if(gt,5400,.es(index=nc_interface_stats-*,metric=avg:nc_in-octets,q='_exists_:nc_in-octets AND nc_port-speed:SPEED_1GB AND nc_admin-status:UP NOT nc_name:"GigabitEthernet1/0/15" AND NOT nc_name:"GigabitEthernet1/0/11"',split=nc_hardware-port.keyword:5).derivative().fit(mode=carry).divide(divisor=60),null).color(color=red).label(Warning)

Any pointers to the right path would be good.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.