I’m using the query below to display ifInOctets/ifOutOctets to monitor throughput and getting some weird results.
SELECT derivative(“wg-ucl-ifOutOctets”, 10s) *8 FROM “snmp” WHERE (“agent_host” = ‘192.168.5.1’) AND time >= now() - 6h
Gives me a working graph
but when I mix in ifInOctects I end up with the following
While I would like to think I can pull 22Gbps of traffic I can’t. Is this a bad value coming from the watchguard snmp poll or is this something else?
I pulled these values out of Influx it seems the collection at 50 seconds was missed - maybe this is what led to the negative value being stored?
1530102150000000000 Wednesday, June 27, 2018 12:22:30 PM 29982500
1530102160000000000 Wednesday, June 27, 2018 12:22:40 PM -34265127128
1530102180000000000 Wednesday, June 27, 2018 12:23:00 PM 68113492
1530102190000000000 Wednesday, June 27, 2018 12:23:10 PM 103987344
It looks like a overflow - I guess you are using 32 bit SNMP counter. Try to use 64 bit counters and/or NON_NEGATIVE_DERIVATIVE() to remove negative values.
Not sure how to flag a counter as a 64 bit but the firewall is returning a Counter32
IF-MIB::ifOutOctets.65536 = Counter32: 1312561391
IF-MIB::ifOutOctets.65537 = Counter32: 890480977
So how would it overflow? Moving it to the non_negative_derivative brought the charts into a usable state without a fixed cap but still shows > 500Mbps in peaks which is far faster than the connection provides. I’m wondering if the overflow is in the watchguard.
Try to use high capacity (HC) counters (64 bits): ifHCInOctets/ifHCOutOctets.
I figured after I re-read the post. There are no 64 bit counters I can find from the WG, they all seem 32 bit.
