Hello,
Recently I have made my first logstash pipeline that ingests data gathered via SNMP form network devices regarding interfaces statistic. I have made timelion graph to displayed network interface utilization but I notice that from time to time I am shown a dashboard with "missing" data. I don't really know how to debug this to please advise how I can show all data with no gaps..
My script looks like this
.es(index=network-devices*,
timefield=@timestamp,
metric=max:cisco.device.system.interface.ifInOctets,split=cisco.device.system.interface.ifName.keyword:150)
.derivative().divide(.es(index=network-devices*,
timefield=@timestamp,
metric=max:cisco.device.system.interface.ifSpeed)).multiply(100)
.label("[$1] IN", "^.* > cisco.device.system.interface.ifName.keyword:(\S+) > .*")
.if(lt,0.001,null)
,
.es(index=network-devices*,
timefield=@timestamp,
metric=max:cisco.device.system.interface.ifOutOctets,split=cisco.device.system.interface.ifName.keyword:150)
.derivative().divide(.es(index=network-devices*,
timefield=@timestamp,
metric=max:cisco.device.system.interface.ifSpeed))
.multiply(100).label("[$1] OUT", "^.* > cisco.device.system.interface.ifName.keyword:(\S+) > .*")
.if(lt,0.001,null)
If I get rid of " .if(lt,0.001, null)" this is how the dashboard looks like.
While writing this post I realize that this happens because counters continuously restart after some period of time. This is because I used 32 bit counter and should 64bit, anyway this problem with occur but less often. I imagine that some resolution would be an if statement that says if the value is negative I should add the current value to the next value and then take the derivative and other calculation and offset everything +1 forward. Or something like this. Does anyone have any idea how to deal with this?