1RRDTUTORIAL(1) rrdtool RRDTUTORIAL(1)
2
6 rrdtutorial - Alex van den Bogaerdt's RRDtool tutorial
7
9 RRDtool is written by Tobias Oetiker <tobi@oetiker.ch> with contribu‐
10 tions from many people all around the world. This document is written
11 by Alex van den Bogaerdt <alex@ergens.op.het.net> to help you under‐
12 stand what RRDtool is and what it can do for you.
13 The documentation provided with RRDtool can be too technical for some
15 people. This tutorial is here to help you understand the basics of RRD‐
16 tool. It should prepare you to read the documentation yourself. It
17 also explains the general things about statistics with a focus on net‐
18 working.
19
21 Important
22 Please don't skip ahead in this document! The first part of this docu‐
24 ment explains the basics and may be boring. But if you don't under‐
25 stand the basics, the examples will not be as meaningful to you.
26 What is RRDtool?
28 RRDtool refers to Round Robin Database tool. Round robin is a tech‐
30 nique that works with a fixed amount of data, and a pointer to the cur‐
31 rent element. Think of a circle with some dots plotted on the edge --
32 these dots are the places where data can be stored. Draw an arrow from
33 the center of the circle to one of the dots -- this is the pointer.
34 When the current data is read or written, the pointer moves to the next
35 element. As we are on a circle there is neither a beginning nor an end,
36 you can go on and on and on. After a while, all the available places
37 will be used and the process automatically reuses old locations. This
38 way, the dataset will not grow in size and therefore requires no main‐
39 tenance. RRDtool works with with Round Robin Databases (RRDs). It
40 stores and retrieves data from them.
41 What data can be put into an RRD?
43 You name it, it will probably fit as long as it is some sort of time-
45 series data. This means you have to be able to measure some value at
46 several points in time and provide this information to RRDtool. If you
47 can do this, RRDtool will be able to store it. The values must be
48 numerical but don't have to be integers, as is the case with MRTG (the
49 next section will give more details on this more specialized applica‐
50 tion).
51 Many examples below talk about SNMP which is an acronym for Simple Net‐
53 work Management Protocol. "Simple" refers to the protocol -- it does
54 not mean it is simple to manage or monitor a network. After working
55 your way through this document, you should know enough to be able to
56 understand what people are talking about. For now, just realize that
57 SNMP can be used to query devices for the values of counters they keep.
58 It is the value from those counters that we want to store in the RRD.
59 What can I do with this tool?
61 RRDtool originated from MRTG (Multi Router Traffic Grapher). MRTG
63 started as a tiny little script for graphing the use of a university's
64 connection to the Internet. MRTG was later (ab-)used as a tool for
65 graphing other data sources including temperature, speed, voltage, num‐
66 ber of printouts and the like.
67 Most likely you will start to use RRDtool to store and process data
69 collected via SNMP. The data will most likely be bytes (or bits) trans‐
70 fered from and to a network or a computer. But it can also be used to
71 display tidal waves, solar radiation, power consumption, number of vis‐
72 itors at an exhibition, noise levels near an airport, temperature on
73 your favorite holiday location, temperature in the fridge and whatever
74 you imagination can come up with.
75 You only need a sensor to measure the data and be able to feed the num‐
77 bers into RRDtool. RRDtool then lets you create a database, store data
78 in it, retrieve that data and create graphs in PNG format for display
79 on a web browser. Those PNG images are dependent on the data you col‐
80 lected and could be, for instance, an overview of the average network
81 usage, or the peaks that occurred.
82 What if I still have problems after reading this document?
84 First of all: read it again! You may have missed something. If you are
86 unable to compile the sources and you have a fairly common OS, it will
87 probably not be the fault of RRDtool. There may be pre-compiled ver‐
88 sions around on the Internet. If they come from trusted sources, get
89 one of those.
90 If on the other hand the program works but does not give you the
92 expected results, it will be a problem with configuring it. Review your
93 configuration and compare it with the examples that follow.
94 There is a mailing list and an archive of it. Read the list for a few
96 weeks and search the archive. It is considered rude to just ask a ques‐
97 tion without searching the archives: your problem may already have been
98 solved for somebody else! This is true for most, if not all, mailing
99 lists and not only for this particular one. Look in the documentation
100 that came with RRDtool for the location and usage of the list.
101 I suggest you take a moment to subscribe to the mailing list right now
103 by sending an email to <rrd-users-request@lists.oetiker.ch> with a sub‐
104 ject of "subscribe". If you ever want to leave this list, just write an
105 email to the same address but now with a subject of "unsubscribe".
106 How will you help me?
108 By giving you some detailed descriptions with detailed examples. I
110 assume that following the instructions in the order presented will give
111 you enough knowledge of RRDtool to experiment for yourself. If it
112 doesn't work the first time, don't give up. Reread the stuff that you
113 did understand, you may have missed something.
114 By following the examples you get some hands-on experience and, even
116 more important, some background information of how it works.
117 You will need to know something about hexadecimal numbers. If you don't
119 then start with reading bin_dec_hex tutorial before you continue here.
120 Your first Round Robin Database
122 In my opinion the best way to learn something is to actually do it.
124 Why not start right now? We will create a database, put some values in
125 it and extract this data again. Your output should be the same as the
126 output that is included in this document.
127 We will start with some easy stuff and compare a car with a router, or
129 compare kilometers (miles if you wish) with bits and bytes. It's all
130 the same: some number over some time.
131 Assume we have a device that transfers bytes to and from the Internet.
133 This device keeps a counter that starts at zero when it is turned on,
134 increasing with every byte that is transfered. This counter will proba‐
135 bly have a maximum value. If this value is reached and an extra byte is
136 counted, the counter starts over at zero. This is the same as many
137 counters in the world such as the mileage counter in a car.
138 Most discussions about networking talk about bits per second so lets
140 get used to that right away. Assume a byte is eight bits and start to
141 think in bits not bytes. The counter, however, still counts bytes! In
142 the SNMP world most of the counters are 32 bits. That means they are
143 counting from 0 to 4'294'967'295. We will use these values in the exam‐
144 ples. The device, when asked, returns the current value of the
145 counter. We know the time that has passes since we last asked so we now
146 know how many bytes have been transfered ***on average*** per second.
147 This is not very hard to calculate. First in words, then in calcula‐
148 tions:
149 1. Take the current counter, subtract the previous value from it.
151 2. Do the same with the current time and the previous time (in sec‐
153 onds).
154 3. Divide the outcome of (1) by the outcome of (2), the result is the
156 amount of bytes per second. Multiply by eight to get the number of
157 bits per second (bps).
158 bps = (counter_now - counter_before) / (time_now - time_before) * 8
160 For some people it may help to translate this to an automobile example.
162 Do not try this example, and if you do, don't blame me for the results!
163 People who are not used to think in kilometers per hour can translate
165 most into miles per hour by dividing km by 1.6 (close enough). I will
166 use the following abbreviations:
167 M: meter
169 KM: kilometer (= 1'000 meters).
170 H: hour
171 S: second
172 KM/H: kilometers per hour
173 M/S: meters per second
174 You are driving a car. At 12:05 you read the counter in the dashboard
176 and it tells you that the car has moved 12'345 KM until that moment.
177 At 12:10 you look again, it reads 12'357 KM. This means you have trav‐
178 eled 12 KM in five minutes. A scientist would translate that into
179 meters per second and this makes a nice comparison toward the problem
180 of (bytes per five minutes) versus (bits per second).
181 We traveled 12 kilometers which is 12'000 meters. We did that in five
183 minutes or 300 seconds. Our speed is 12'000M / 300S or 40 M/S.
184 We could also calculate the speed in KM/H: 12 times 5 minutes is an
186 hour, so we have to multiply 12 KM by 12 to get 144 KM/H. For our
187 native English speaking friends: that's 90 MPH so don't try this exam‐
188 ple at home or where I live :)
189 Remember: these numbers are averages only. There is no way to figure
191 out from the numbers, if you drove at a constant speed. There is an
192 example later on in this tutorial that explains this.
193 I hope you understand that there is no difference in calculating M/S or
195 bps; only the way we collect the data is different. Even the K from
196 kilo is the same as in networking terms k also means 1'000.
197 We will now create a database where we can keep all these interesting
199 numbers. The method used to start the program may differ slightly from
200 OS to OS, but I assume you can figure it out if it works different on
201 your's. Make sure you do not overwrite any file on your system when
202 executing the following command and type the whole line as one long
203 line (I had to split it for readability) and skip all of the '\' char‐
204 acters.
205 rrdtool create test.rrd \
207 --start 920804400 \
208 DS:speed:COUNTER:600:U:U \
209 RRA:AVERAGE:0.5:1:24 \
210 RRA:AVERAGE:0.5:6:10
211 (So enter: "rrdtool create test.rrd --start 920804400 DS ...")
213 What has been created?
215 We created the round robin database called test (test.rrd) which starts
217 at noon the day I started writing this document, 7th of March, 1999
218 (this date translates to 920'804'400 seconds as explained below). Our
219 database holds one data source (DS) named "speed" that represents a
220 counter. This counter is read every five minutes (this is the default
221 therefore you don't have to put "--step=300"). In the same database
222 two round robin archives (RRAs) are kept, one averages the data every
223 time it is read (e.g., there's nothing to average) and keeps 24 samples
224 (24 times 5 minutes is 2 hours). The other averages 6 values (half
225 hour) and contains 10 such averages (e.g. 5 hours).
226 RRDtool works with special time stamps coming from the UNIX world.
228 This time stamp is the number of seconds that passed since January 1st
229 1970 UTC. The time stamp value is translated into local time and it
230 will therefore look different for different time zones.
231 Chances are that you are not in the same part of the world as I am.
233 This means your time zone is different. In all examples where I talk
234 about time, the hours may be wrong for you. This has little effect on
235 the results of the examples, just correct the hours while reading. As
236 an example: where I will see "12:05" the UK folks will see "11:05".
237 We now have to fill our database with some numbers. We'll pretend to
239 have read the following numbers:
240 12:05 12345 KM
242 12:10 12357 KM
243 12:15 12363 KM
244 12:20 12363 KM
245 12:25 12363 KM
246 12:30 12373 KM
247 12:35 12383 KM
248 12:40 12393 KM
249 12:45 12399 KM
250 12:50 12405 KM
251 12:55 12411 KM
252 13:00 12415 KM
253 13:05 12420 KM
254 13:10 12422 KM
255 13:15 12423 KM
256 We fill the database as follows:
258 rrdtool update test.rrd 920804700:12345 920805000:12357 920805300:12363
260 rrdtool update test.rrd 920805600:12363 920805900:12363 920806200:12373
261 rrdtool update test.rrd 920806500:12383 920806800:12393 920807100:12399
262 rrdtool update test.rrd 920807400:12405 920807700:12411 920808000:12415
263 rrdtool update test.rrd 920808300:12420 920808600:12422 920808900:12423
264 This reads: update our test database with the following numbers
266 time 920804700, value 12345
268 time 920805000, value 12357
269 etcetera.
271 As you can see, it is possible to feed more than one value into the
273 database in one command. I had to stop at three for readability but the
274 real maximum per line is OS dependent.
275 We can now retrieve the data from our database using "rrdtool fetch":
277 rrdtool fetch test.rrd AVERAGE --start 920804400 --end 920809200
279 It should return the following output:
281 speed
283 920804700: nan
285 920805000: 4.0000000000e-02
286 920805300: 2.0000000000e-02
287 920805600: 0.0000000000e+00
288 920805900: 0.0000000000e+00
289 920806200: 3.3333333333e-02
290 920806500: 3.3333333333e-02
291 920806800: 3.3333333333e-02
292 920807100: 2.0000000000e-02
293 920807400: 2.0000000000e-02
294 920807700: 2.0000000000e-02
295 920808000: 1.3333333333e-02
296 920808300: 1.6666666667e-02
297 920808600: 6.6666666667e-03
298 920808900: 3.3333333333e-03
299 920809200: nan
300 If it doesn't, something may be wrong. Perhaps your OS will print
302 "NaN" in a different form. "NaN" stands for "Not A Number". If your OS
303 writes "U" or "UNKN" or something similar that's okay. If something
304 else is wrong, it will probably be due to an error you made (assuming
305 that my tutorial is correct of course :-). In that case: delete the
306 database and try again. Sometimes things change. This example used to
307 provide numbers like "0.04" in stead of "4.00000e-02". Those are
308 really the same numbers, just written down differently. Don't be
309 alarmed if a future version of rrdtool displays a slightly different
310 form of output. The examples in this document are correct for version
311 1.2.0 of RRDtool.
312 The meaning of the above output will become clear below.
314 Time to create some graphics
316 Try the following command:
318 rrdtool graph speed.png \
320 --start 920804400 --end 920808000 \
321 DEF:myspeed=test.rrd:speed:AVERAGE \
322 LINE2:myspeed#FF0000
323 This will create speed.png which starts at 12:00 and ends at 13:00.
325 There is a definition of a variable called myspeed, using the data from
326 RRA "speed" out of database "test.rrd". The line drawn is 2 pixels high
327 and represents the variable myspeed. The color is red (specified by its
328 rgb-representation, see below).
329 You'll notice that the start of the graph is not at 12:00 but at 12:05.
331 This is because we have insufficient data to tell the average before
332 that time. This will only happen when you miss some samples, this will
333 not happen a lot, hopefully.
334 If this has worked: congratulations! If not, check what went wrong.
336 The colors are built up from red, green and blue. For each of the com‐
338 ponents, you specify how much to use in hexadecimal where 00 means not
339 included and FF means fully included. The "color" white is a mixture
340 of red, green and blue: FFFFFF The "color" black is all colors off:
341 000000
342 red #FF0000
344 green #00FF00
345 blue #0000FF
346 magenta #FF00FF (mixed red with blue)
347 gray #555555 (one third of all components)
348 Additionally you can add an alpha channel (transparency). The default
350 will be "FF" which means non-transparent.
351 The PNG you just created can be displayed using your favorite image
353 viewer. Web browsers will display the PNG via the URL
354 "file:///the/path/to/speed.png"
355 Graphics with some math
357 When looking at the image, you notice that the horizontal axis is
359 labeled 12:10, 12:20, 12:30, 12:40 and 12:50. Sometimes a label doesn't
360 fit (12:00 and 13:00 would be candidates) so they are skipped.
361 The vertical axis displays the range we entered. We provided kilometers
363 and when divided by 300 seconds, we get very small numbers. To be
364 exact, the first value was 12 (12'357-12'345) and divided by 300 this
365 makes 0.04, which is displayed by RRDtool as "40 m" meaning "40/1'000".
366 The "m" (milli) has nothing to do with meters, kilometers or millime‐
367 ters! RRDtool doesn't know about the physical units of our data, it
368 just works with dimensionless numbers.
369 If we had measured our distances in meters, this would have been
371 (12'357'000-12'345'000)/300 = 12'000/300 = 40.
372 As most people have a better feel for numbers in this range, we'll cor‐
374 rect that. We could recreate our database and store the correct data,
375 but there is a better way: we do some calculations while creating the
376 png file!
377 rrdtool graph speed2.png \
379 --start 920804400 --end 920808000 \
380 --vertical-label m/s \
381 DEF:myspeed=test.rrd:speed:AVERAGE \
382 CDEF:realspeed=myspeed,1000,\* \
383 LINE2:realspeed#FF0000
384 Note: Make sure not to forget the backslash \ in front of the multipli‐
386 cation operator * above. The backslash is needed to "escape" the * as
387 some operating systems might interpret and expand * instead of passing
388 it to the rrdtool command.
389 After viewing this PNG, you notice the "m" (milli) has disappeared.
391 This it what the correct result would be. Also, a label has been added
392 to the image. Apart from the things mentioned above, the PNG should
393 look the same.
394 The calculations are specified in the CDEF part above and are in
396 Reverse Polish Notation ("RPN"). What we requested RRDtool to do is:
397 "take the data source myspeed and the number 1000; multiply those".
398 Don't bother with RPN yet, it will be explained later on in more
399 detail. Also, you may want to read my tutorial on CDEFs and Steve
400 Rader's tutorial on RPN. But first finish this tutorial.
401 Hang on! If we can multiply values with 1'000, it should also be possi‐
403 ble to display kilometers per hour from the same data!
404 To change a value that is measured in meters per second:
406 Calculate meters per hour: value * 3'600
408 Calculate kilometers per hour: value / 1'000
409 Together this makes: value * (3'600/1'000) or value * 3.6
410 In our example database we made a mistake and we need to compensate for
412 this by multiplying with 1'000. Applying that correction:
413 value * 3.6 * 1'000 == value * 3'600
415 Now let's create this PNG, and add some more magic ...
417 rrdtool graph speed3.png \
419 --start 920804400 --end 920808000 \
420 --vertical-label km/h \
421 DEF:myspeed=test.rrd:speed:AVERAGE \
422 "CDEF:kmh=myspeed,3600,*" \
423 CDEF:fast=kmh,100,GT,kmh,0,IF \
424 CDEF:good=kmh,100,GT,0,kmh,IF \
425 HRULE:100#0000FF:"Maximum allowed" \
426 AREA:good#00FF00:"Good speed" \
427 AREA:fast#FF0000:"Too fast"
428 Note: here we use another means to escape the * operator by enclosing
430 the whole string in double quotes.
431 This graph looks much better. Speed is shown in KM/H and there is even
433 an extra line with the maximum allowed speed (on the road I travel on).
434 I also changed the colors used to display speed and changed it from a
435 line into an area.
436 The calculations are more complex now. For speed measurements within
438 the speed limit they are:
439 Check if kmh is greater than 100 ( kmh,100 ) GT
441 If so, return 0, else kmh ((( kmh,100 ) GT ), 0, kmh) IF
442 For values above the speed limit:
444 Check if kmh is greater than 100 ( kmh,100 ) GT
446 If so, return kmh, else return 0 ((( kmh,100) GT ), kmh, 0) IF
447 Graphics Magic
449 I like to believe there are virtually no limits to how RRDtool graph
451 can manipulate data. I will not explain how it works, but look at the
452 following PNG:
453 rrdtool graph speed4.png \
455 --start 920804400 --end 920808000 \
456 --vertical-label km/h \
457 DEF:myspeed=test.rrd:speed:AVERAGE \
458 "CDEF:kmh=myspeed,3600,*" \
459 CDEF:fast=kmh,100,GT,100,0,IF \
460 CDEF:over=kmh,100,GT,kmh,100,-,0,IF \
461 CDEF:good=kmh,100,GT,0,kmh,IF \
462 HRULE:100#0000FF:"Maximum allowed" \
463 AREA:good#00FF00:"Good speed" \
464 AREA:fast#550000:"Too fast" \
465 STACK:over#FF0000:"Over speed"
466 Let's create a quick and dirty HTML page to view the three PNGs:
468 <HTML><HEAD><TITLE>Speed</TITLE></HEAD><BODY>
470 <IMG src="speed2.png" alt="Speed in meters per second">
471 <BR>
472 <IMG src="speed3.png" alt="Speed in kilometers per hour">
473 <BR>
474 <IMG src="speed4.png" alt="Traveled too fast?">
475 </BODY></HTML>
476 Name the file "speed.html" or similar, and look at it in your web
478 browser.
479 Now, all you have to do is measure the values regularly and update the
481 database. When you want to view the data, recreate the PNGs and make
482 sure to refresh them in your browser. (Note: just clicking reload may
483 not be enough, especially when proxies are involved. Try shift-reload
484 or ctrl-F5).
485 Updates in Reality
487 We've already used the "update" command: it took one or more parameters
489 in the form of "<time>:<value>". You'll be glad to know that you can
490 specify the current time by filling in a "N" as the time. Or you could
491 use the "time" function in Perl (the shortest example in this tuto‐
492 rial):
493 perl -e 'print time, "\n" '
495 How to run a program on regular intervals is OS specific. But here is
497 an example in pseudo code:
498 - Get the value and put it in variable "$speed"
500 - rrdtool update speed.rrd N:$speed
501 (do not try this with our test database, we'll use it in further exam‐
503 ples)
504 This is all. Run the above script every five minutes. When you need to
506 know what the graphs look like, run the examples above. You could put
507 them in a script as well. After running that script, view the page
508 index.html we created above.
509 Some words on SNMP
511 I can imagine very few people that will be able to get real data from
513 their car every five minutes. All other people will have to settle for
514 some other kind of counter. You could measure the number of pages
515 printed by a printer, for example, the cups of coffee made by the cof‐
516 fee machine, a device that counts the electricity used, whatever. Any
517 incrementing counter can be monitored and graphed using the stuff you
518 learned so far. Later on we will also be able to monitor other types of
519 values like temperature.
520 Most (?) people interested in RRDtool will use the counter that keeps
522 track of octets (bytes) transfered by a network device. So let's do
523 just that next. We will start with a description of how to collect
524 data.
525 Some people will make a remark that there are tools which can do this
527 data collection for you. They are right! However, I feel it is impor‐
528 tant that you understand they are not necessary. When you have to
529 determine why things went wrong you need to know how they work.
530 One tool used in the example has been talked about very briefly in the
532 beginning of this document, it is called SNMP. It is a way of talking
533 to networked equipment. The tool I use below is called "snmpget" and
534 this is how it works:
535 snmpget device password OID
537 or
539 snmpget -v[version] -c[password] device OID
541 For device you substitute the name, or the IP address, of your device.
543 For password you use the "community read string" as it is called in the
544 SNMP world. For some devices the default of "public" might work, how‐
545 ever this can be disabled, altered or protected for privacy and secu‐
546 rity reasons. Read the documentation that comes with your device or
547 program.
548 Then there is this parameter, called OID, which means "object identi‐
550 fier".
551 When you start to learn about SNMP it looks very confusing. It isn't
553 all that difficult when you look at the Management Information Base
554 ("MIB"). It is an upside-down tree that describes data, with a single
555 node as the root and from there a number of branches. These branches
556 end up in another node, they branch out, etc. All the branches have a
557 name and they form the path that we follow all the way down. The
558 branches that we follow are named: iso, org, dod, internet, mgmt and
559 mib-2. These names can also be written down as numbers and are 1 3 6 1
560 2 1.
561 iso.org.dod.internet.mgmt.mib-2 (1.3.6.1.2.1)
563 There is a lot of confusion about the leading dot that some programs
565 use. There is *no* leading dot in an OID. However, some programs can
566 use the above part of OIDs as a default. To indicate the difference
567 between abbreviated OIDs and full OIDs they need a leading dot when you
568 specify the complete OID. Often those programs will leave out the
569 default portion when returning the data to you. To make things worse,
570 they have several default prefixes ...
571 Ok, lets continue to the start of our OID: we had 1.3.6.1.2.1 From
573 there, we are especially interested in the branch "interfaces" which
574 has number 2 (e.g., 1.3.6.1.2.1.2 or 1.3.6.1.2.1.interfaces).
575 First, we have to get some SNMP program. First look if there is a pre-
577 compiled package available for your OS. This is the preferred way. If
578 not, you will have to get the sources yourself and compile those. The
579 Internet is full of sources, programs etc. Find information using a
580 search engine or whatever you prefer.
581 Assume you got the program. First try to collect some data that is
583 available on most systems. Remember: there is a short name for the part
584 of the tree that interests us most in the world we live in!
585 I will give an example which can be used on Fedora Core 3. If it
587 doesn't work for you, work your way through the manual of snmp and
588 adapt the example to make it work.
589 snmpget -v2c -c public myrouter system.sysDescr.0
591 The device should answer with a description of itself, perhaps an empty
593 one. Until you got a valid answer from a device, perhaps using a dif‐
594 ferent "password", or a different device, there is no point in continu‐
595 ing.
596 snmpget -v2c -c public myrouter interfaces.ifNumber.0
598 Hopefully you get a number as a result, the number of interfaces. If
600 so, you can carry on and try a different program called "snmpwalk".
601 snmpwalk -v2c -c public myrouter interfaces.ifTable.ifEntry.ifDescr
603 If it returns with a list of interfaces, you're almost there. Here's
605 an example:
606 [user@host /home/alex]$ snmpwalk -v2c -c public cisco 2.2.1.2
607 interfaces.ifTable.ifEntry.ifDescr.1 = "BRI0: B-Channel 1"
609 interfaces.ifTable.ifEntry.ifDescr.2 = "BRI0: B-Channel 2"
610 interfaces.ifTable.ifEntry.ifDescr.3 = "BRI0" Hex: 42 52 49 30
611 interfaces.ifTable.ifEntry.ifDescr.4 = "Ethernet0"
612 interfaces.ifTable.ifEntry.ifDescr.5 = "Loopback0"
613 On this cisco equipment, I would like to monitor the "Ethernet0" inter‐
615 face and from the above output I see that it is number four. I try:
616 [user@host /home/alex]$ snmpget -v2c -c public cisco 2.2.1.10.4 2.2.1.16.4
618 interfaces.ifTable.ifEntry.ifInOctets.4 = 2290729126
620 interfaces.ifTable.ifEntry.ifOutOctets.4 = 1256486519
621 So now I have two OIDs to monitor and they are (in full, this time):
623 1.3.6.1.2.1.2.2.1.10
625 and
627 1.3.6.1.2.1.2.2.1.16
629 both with an interface number of 4.
631 Don't get fooled, this wasn't my first try. It took some time for me
633 too to understand what all these numbers mean. It does help a lot when
634 they get translated into descriptive text... At least, when people are
635 talking about MIBs and OIDs you know what it's all about. Do not for‐
636 get the interface number (0 if it is not interface dependent) and try
637 snmpwalk if you don't get an answer from snmpget.
638 If you understand the above section and get numbers from your device,
640 continue on with this tutorial. If not, then go back and re-read this
641 part.
642 A Real World Example
644 Let the fun begin. First, create a new database. It contains data from
646 two counters, called input and output. The data is put into archives
647 that average it. They take 1, 6, 24 or 288 samples at a time. They
648 also go into archives that keep the maximum numbers. This will be
649 explained later on. The time in-between samples is 300 seconds, a good
650 starting point, which is the same as five minutes.
651 1 sample "averaged" stays 1 period of 5 minutes
653 6 samples averaged become one average on 30 minutes
654 24 samples averaged become one average on 2 hours
655 288 samples averaged become one average on 1 day
656 Lets try to be compatible with MRTG which stores about the following
658 amount of data:
659 600 5-minute samples: 2 days and 2 hours
661 600 30-minute samples: 12.5 days
662 600 2-hour samples: 50 days
663 732 1-day samples: 732 days
664 These ranges are appended, so the total amount of data stored in the
666 database is approximately 797 days. RRDtool stores the data differ‐
667 ently, it doesn't start the "weekly" archive where the "daily" archive
668 stopped. For both archives the most recent data will be near "now" and
669 therefore we will need to keep more data than MRTG does!
670 We will need:
672 600 samples of 5 minutes (2 days and 2 hours)
674 700 samples of 30 minutes (2 days and 2 hours, plus 12.5 days)
675 775 samples of 2 hours (above + 50 days)
676 797 samples of 1 day (above + 732 days, rounded up to 797)
677 rrdtool create myrouter.rrd \
679 DS:input:COUNTER:600:U:U \
680 DS:output:COUNTER:600:U:U \
681 RRA:AVERAGE:0.5:1:600 \
682 RRA:AVERAGE:0.5:6:700 \
683 RRA:AVERAGE:0.5:24:775 \
684 RRA:AVERAGE:0.5:288:797 \
685 RRA:MAX:0.5:1:600 \
686 RRA:MAX:0.5:6:700 \
687 RRA:MAX:0.5:24:775 \
688 RRA:MAX:0.5:288:797
689 Next thing to do is to collect data and store it. Here is an example.
691 It is written partially in pseudo code, you will have to find out what
692 to do exactly on your OS to make it work.
693 while not the end of the universe
695 do
696 get result of
697 snmpget router community 2.2.1.10.4
698 into variable $in
699 get result of
700 snmpget router community 2.2.1.16.4
701 into variable $out
702 rrdtool update myrouter.rrd N:$in:$out
704 wait for 5 minutes
706 done
707 Then, after collecting data for a day, try to create an image using:
709 rrdtool graph myrouter-day.png --start -86400 \
711 DEF:inoctets=myrouter.rrd:input:AVERAGE \
712 DEF:outoctets=myrouter.rrd:output:AVERAGE \
713 AREA:inoctets#00FF00:"In traffic" \
714 LINE1:outoctets#0000FF:"Out traffic"
715 This should produce a picture with one day worth of traffic. One day
717 is 24 hours of 60 minutes of 60 seconds: 24*60*60=86'400, we start at
718 now minus 86'400 seconds. We define (with DEFs) inoctets and outoctets
719 as the average values from the database myrouter.rrd and draw an area
720 for the "in" traffic and a line for the "out" traffic.
721 View the image and keep logging data for a few more days. If you like,
723 you could try the examples from the test database and see if you can
724 get various options and calculations to work.
725 Suggestion: Display in bytes per second and in bits per second. Make
727 the Ethernet graphics go red if they are over four megabits per second.
728 Consolidation Functions
730 A few paragraphs back I mentioned the possibility of keeping the maxi‐
732 mum values instead of the average values. Let's go into this a bit
733 more.
734 Recall all the stuff about the speed of the car. Suppose we drove at
736 144 KM/H during 5 minutes and then were stopped by the police for 25
737 minutes. At the end of the lecture we would take our laptop and create
738 and view the image taken from the database. If we look at the second
739 RRA we did create, we would have the average from 6 samples. The sam‐
740 ples measured would be 144+0+0+0+0+0=144, divided by 30 minutes, cor‐
741 rected for the error by 1000, translated into KM/H, with a result of 24
742 KM/H. I would still get a ticket but not for speeding anymore :)
743 Obviously, in this case we shouldn't look at the averages. In some
745 cases they are handy. If you want to know how many KM you had traveled,
746 the averaged picture would be the right one to look at. On the other
747 hand, for the speed that we traveled at, the maximum numbers seen is
748 much more interesting. Later we will see more types.
749 It is the same for data. If you want to know the amount, look at the
751 averages. If you want to know the rate, look at the maximum. Over
752 time, they will grow apart more and more. In the last database we have
753 created, there are two archives that keep data per day. The archive
754 that keeps averages will show low numbers, the archive that shows max‐
755 ima will have higher numbers.
756 For my car this would translate in averages per day of 96/24=4 KM/H (as
758 I travel about 94 kilometers on a day) during working days, and maxima
759 of 120 KM/H (my top speed that I reach every day).
760 Big difference. Do not look at the second graph to estimate the dis‐
762 tances that I travel and do not look at the first graph to estimate my
763 speed. This will work if the samples are close together, as they are in
764 five minutes, but not if you average.
765 On some days, I go for a long ride. If I go across Europe and travel
767 for 12 hours, the first graph will rise to about 60 KM/H. The second
768 one will show 180 KM/H. This means that I traveled a distance of 60
769 KM/H times 24 H = 1440 KM. I did this with a higher speed and a maximum
770 around 180 KM/H. However, it probably doesn't mean that I traveled for
771 8 hours at a constant speed of 180 KM/H!
772 This is a real example: go with the flow through Germany (fast!) and
774 stop a few times for gas and coffee. Drive slowly through Austria and
775 the Netherlands. Be careful in the mountains and villages. If you would
776 look at the graphs created from the five-minute averages you would get
777 a totally different picture. You would see the same values on the aver‐
778 age and maximum graphs (provided I measured every 300 seconds). You
779 would be able to see when I stopped, when I was in top gear, when I
780 drove over fast highways etc. The granularity of the data is much
781 higher, so you can see more. However, this takes 12 samples per hour,
782 or 288 values per day, so it would be a lot of data over a longer
783 period of time. Therefore we average it, eventually to one value per
784 day. From this one value, we cannot see much detail, of course.
785 Make sure you understand the last few paragraphs. There is no value in
787 only a line and a few axis, you need to know what they mean and inter‐
788 pret the data in ana appropriate way. This is true for all data.
789 The biggest mistake you can make is to use the collected data for some‐
791 thing that it is not suitable for. You would be better off if you
792 didn't have the graph at all.
793 Let's review what you now should know
795 You know how to create a database and can put data in it. You can get
797 the numbers out again by creating an image, do math on the data from
798 the database and view the resulte instead of the raw data. You know
799 about the difference between averages and maxima, and when to use which
800 (or at least you should have an idea).
801 RRDtool can do more than what we have learned up to now. Before you
803 continue with the rest of this doc, I recommend that you reread from
804 the start and try some modifications on the examples. Make sure you
805 fully understand everything. It will be worth the effort and helps you
806 not only with the rest of this tutorial, but also in your day to day
807 monitoring long after you read this introduction.
808 Data Source Types
810 All right, you feel like continuing. Welcome back and get ready for an
812 increased speed in the examples and explanations.
813 You know that in order to view a counter over time, you have to take
815 two numbers and divide the difference of them between the time lapsed.
816 This makes sense for the examples I gave you but there are other possi‐
817 bilities. For instance, I'm able to retrieve the temperature from my
818 router in three places namely the inlet, the so called hot-spot and the
819 exhaust. These values are not counters. If I take the difference of
820 the two samples and divide that by 300 seconds I would be asking for
821 the temperature change per second. Hopefully this is zero! If not, the
822 computer room is probably on fire :)
823 So, what can we do? We can tell RRDtool to store the values we measure
825 directly as they are (this is not entirely true but close enough). The
826 graphs we make will look much better, they will show a rather constant
827 value. I know when the router is busy (it works -> it uses more elec‐
828 tricity -> it generates more heat -> the temperature rises). I know
829 when the doors are left open (the room is air conditioned) -> the warm
830 air from the rest of the building flows into the computer room -> the
831 inlet temperature rises). Etc. The data type we use when creating the
832 database before was counter, we now have a different data type and thus
833 a different name for it. It is called GAUGE. There are more such data
834 types:
835 - COUNTER we already know this one
837 - GAUGE we just learned this one
838 - DERIVE
839 - ABSOLUTE
840 The two additional types are DERIVE and ABSOLUTE. Absolute can be used
842 like counter with one difference: RRDtool assumes the counter is reset
843 when it's read. That is: its delta is known without calculation by RRD‐
844 tool whereas RRDtool needs to calculate it for the counter type. Exam‐
845 ple: our first example (12'345, 12'357, 12'363, 12'363) would read:
846 unknown, 12, 6, 0. The rest of the calculations stay the same. The
847 other one, derive, is like counter. Unlike counter, it can also
848 decrease so it can have a negative delta. Again, the rest of the calcu‐
849 lations stay the same.
850 Let's try them all:
852 rrdtool create all.rrd --start 978300900 \
854 DS:a:COUNTER:600:U:U \
855 DS:b:GAUGE:600:U:U \
856 DS:c:DERIVE:600:U:U \
857 DS:d:ABSOLUTE:600:U:U \
858 RRA:AVERAGE:0.5:1:10
859 rrdtool update all.rrd \
860 978301200:300:1:600:300 \
861 978301500:600:3:1200:600 \
862 978301800:900:5:1800:900 \
863 978302100:1200:3:2400:1200 \
864 978302400:1500:1:2400:1500 \
865 978302700:1800:2:1800:1800 \
866 978303000:2100:4:0:2100 \
867 978303300:2400:6:600:2400 \
868 978303600:2700:4:600:2700 \
869 978303900:3000:2:1200:3000
870 rrdtool graph all1.png -s 978300600 -e 978304200 -h 400 \
871 DEF:linea=all.rrd:a:AVERAGE LINE3:linea#FF0000:"Line A" \
872 DEF:lineb=all.rrd:b:AVERAGE LINE3:lineb#00FF00:"Line B" \
873 DEF:linec=all.rrd:c:AVERAGE LINE3:linec#0000FF:"Line C" \
874 DEF:lined=all.rrd:d:AVERAGE LINE3:lined#000000:"Line D"
875 RRDtool under the Microscope
877 · Line A is a COUNTER type, so it should continuously increment and
879 RRDtool must calculate the differences. Also, RRDtool needs to divide
880 the difference by the amount of time lapsed. This should end up as a
881 straight line at 1 (the deltas are 300, the time is 300).
882 · Line B is of type GAUGE. These are "real" values so they should match
884 what we put in: a sort of a wave.
885 · Line C is of type DERIVE. It should be a counter that can decrease.
887 It does so between 2'400 and 0, with 1'800 in-between.
888 · Line D is of type ABSOLUTE. This is like counter but it works on val‐
890 ues without calculating the difference. The numbers are the same and
891 as you can see (hopefully) this has a different result.
892 This translates in the following values, starting at 23:10 and ending
894 at 00:10 the next day (where "u" means unknown/unplotted):
895 - Line A: u u 1 1 1 1 1 1 1 1 1 u
897 - Line B: u 1 3 5 3 1 2 4 6 4 2 u
898 - Line C: u u 2 2 2 0 -2 -6 2 0 2 u
899 - Line D: u 1 2 3 4 5 6 7 8 9 10 u
900 If your PNG shows all this, you know you have entered the data cor‐
902 rectly, the RRDtool executable is working properly, your viewer doesn't
903 fool you, and you successfully entered the year 2000 :)
904 You could try the same example four times, each time with only one of
906 the lines.
907 Let's go over the data again:
909 · Line A: 300,600,900 and so on. The counter delta is a constant 300
911 and so is the time delta. A number divided by itself is always 1
912 (except when dividing by zero which is undefined/illegal).
913 Why is it that the first point is unknown? We do know what we put
915 into the database, right? True, But we didn't have a value to calcu‐
916 late the delta from, so we don't know where we started. It would be
917 wrong to assume we started at zero so we don't!
918 · Line B: There is nothing to calculate. The numbers are as they are.
920 · Line C: Again, the start-out value is unknown. The same story is
922 holds as for line A. In this case the deltas are not constant, there‐
923 fore the line is not either. If we would put the same numbers in the
924 database as we did for line A, we would have gotten the same line.
925 Unlike type counter, this type can decrease and I hope to show you
926 later on why this makes a difference.
927 · Line D: Here the device calculates the deltas. Therefore we DO know
929 the first delta and it is plotted. We had the same input as with line
930 A, but the meaning of this input is different and thus the line is
931 different. In this case the deltas increase each time with 300. The
932 time delta stays at a constant 300 and therefore the division of the
933 two gives increasing values.
934 Counter Wraps
936 There are a few more basics to show. Some important options are still
938 to be covered and we haven't look at counter wraps yet. First the
939 counter wrap: In our car we notice that the counter shows 999'987. We
940 travel 20 KM and the counter should go to 1'000'007. Unfortunately,
941 there are only six digits on our counter so it really shows 000'007. If
942 we would plot that on a type DERIVE, it would mean that the counter was
943 set back 999'980 KM. It wasn't, and there has to be some protection for
944 this. This protection is only available for type COUNTER which should
945 be used for this kind of counter anyways. How does it work? Type
946 counter should never decrease and therefore RRDtool must assume it
947 wrapped if it does decrease! If the delta is negative, this can be
948 compensated for by adding the maximum value of the counter + 1. For our
949 car this would be:
950 Delta = 7 - 999'987 = -999'980 (instead of 1'000'007-999'987=20)
952 Real delta = -999'980 + 999'999 + 1 = 20
954 At the time of writing this document, RRDtool knows of counters that
956 are either 32 bits or 64 bits of size. These counters can handle the
957 following different values:
958 - 32 bits: 0 .. 4'294'967'295
960 - 64 bits: 0 .. 18'446'744'073'709'551'615
961 If these numbers look strange to you, you can view them in their hexa‐
963 decimal form:
964 - 32 bits: 0 .. FFFFFFFF
966 - 64 bits: 0 .. FFFFFFFFFFFFFFFF
967 RRDtool handles both counters the same. If an overflow occurs and the
969 delta would be negative, RRDtool first adds the maximum of a small
970 counter + 1 to the delta. If the delta is still negative, it had to be
971 the large counter that wrapped. Add the maximum possible value of the
972 large counter + 1 and subtract the erroneously added small value.
973 There is a risk in this: suppose the large counter wrapped while adding
975 a huge delta, it could happen, theoretically, that adding the smaller
976 value would make the delta positive. In this unlikely case the results
977 would not be correct. The increase should be nearly as high as the max‐
978 imum counter value for that to happen, so chances are you would have
979 several other problems as well and this particular problem would not
980 even be worth thinking about. Even though, I did include an example, so
981 you can judge for yourself.
982 The next section gives you some numerical examples for counter-wraps.
984 Try to do the calculations yourself or just believe me if your calcula‐
985 tor can't handle the numbers :)
986 Correction numbers:
988 - 32 bits: (4'294'967'295 + 1) = 4'294'967'296
990 - 64 bits: (18'446'744'073'709'551'615 + 1)
991 - correction1 = 18'446'744'069'414'584'320
992 Before: 4'294'967'200
994 Increase: 100
995 Should become: 4'294'967'300
996 But really is: 4
997 Delta: -4'294'967'196
998 Correction1: -4'294'967'196 + 4'294'967'296 = 100
999 Before: 18'446'744'073'709'551'000
1001 Increase: 800
1002 Should become: 18'446'744'073'709'551'800
1003 But really is: 184
1004 Delta: -18'446'744'073'709'550'816
1005 Correction1: -18'446'744'073'709'550'816
1006 + 4'294'967'296 = -18'446'744'069'414'583'520
1007 Correction2: -18'446'744'069'414'583'520
1008 + 18'446'744'069'414'584'320 = 800
1009 Before: 18'446'744'073'709'551'615 ( maximum value )
1011 Increase: 18'446'744'069'414'584'320 ( absurd increase, minimum for
1012 Should become: 36'893'488'143'124'135'935 this example to work )
1013 But really is: 18'446'744'069'414'584'319
1014 Delta: -4'294'967'296
1015 Correction1: -4'294'967'296 + 4'294'967'296 = 0
1016 (not negative -> no correction2)
1017 Before: 18'446'744'073'709'551'615 ( maximum value )
1019 Increase: 18'446'744'069'414'584'319 ( one less increase )
1020 Should become: 36'893'488'143'124'135'934
1021 But really is: 18'446'744'069'414'584'318
1022 Delta: -4'294'967'297
1023 Correction1: -4'294'967'297 + 4'294'967'296 = -1
1024 Correction2: -1 + 18'446'744'069'414'584'320 = 18'446'744'069'414'584'319
1025 As you can see from the last two examples, you need strange numbers for
1027 RRDtool to fail (provided it's bug free of course), so this should not
1028 happen. However, SNMP or whatever method you choose to collect the
1029 data, might also report wrong numbers occasionally. We can't prevent
1030 all errors, but there are some things we can do. The RRDtool "create"
1031 command takes two special parameters for this. They define the minimum
1032 and maximum allowed values. Until now, we used "U", meaning "unknown".
1033 If you provide values for one or both of them and if RRDtool receives
1034 data points that are outside these limits, it will ignore those values.
1035 For a thermometer in degrees Celsius, the absolute minimum is just
1036 under -273. For my router, I can assume this minimum is much higher so
1037 I would set it to 10, where as the maximum temperature I would set to
1038 80. Any higher and the device would be out of order.
1039 For the speed of my car, I would never expect negative numbers and also
1041 I would not expect a speed higher than 230. Anything else, and there
1042 must have been an error. Remember: the opposite is not true, if the
1043 numbers pass this check, it doesn't mean that they are correct. Always
1044 judge the graph with a healthy dose of suspicion if it seems weird to
1045 you.
1046 Data Resampling
1048 One important feature of RRDtool has not been explained yet: it is vir‐
1050 tually impossible to collect data and feed it into RRDtool on exact
1051 intervals. RRDtool therefore interpolates the data, so they are stored
1052 on exact intervals. If you do not know what this means or how it works,
1053 then here's the help you seek:
1054 Suppose a counter increases by exactly one for every second. You want
1056 to measure it in 300 seconds intervals. You should retrieve values that
1057 are exactly 300 apart. However, due to various circumstances you are a
1058 few seconds late and the interval is 303. The delta will also be 303 in
1059 that case. Obviously, RRDtool should not put 303 in the database and
1060 make you believe that the counter increased by 303 in 300 seconds.
1061 This is where RRDtool interpolates: it alters the 303 value as if it
1062 would have been stored earlier and it will be 300 in 300 seconds. Next
1063 time you are at exactly the right time. This means that the current
1064 interval is 297 seconds and also the counter increased by 297. Again,
1065 RRDtool interpolates and stores 300 as it should be.
1066 in the RRD in reality
1068 time+000: 0 delta="U" time+000: 0 delta="U"
1070 time+300: 300 delta=300 time+300: 300 delta=300
1071 time+600: 600 delta=300 time+603: 603 delta=303
1072 time+900: 900 delta=300 time+900: 900 delta=297
1073 Let's create two identical databases. I've chosen the time range
1075 920'805'000 to 920'805'900 as this goes very well with the example num‐
1076 bers.
1077 rrdtool create seconds1.rrd \
1079 --start 920804700 \
1080 DS:seconds:COUNTER:600:U:U \
1081 RRA:AVERAGE:0.5:1:24
1082 Make a copy
1084 for Unix: cp seconds1.rrd seconds2.rrd
1086 for Dos: copy seconds1.rrd seconds2.rrd
1087 for vms: how would I know :)
1088 Put in some data
1090 rrdtool update seconds1.rrd \
1092 920805000:000 920805300:300 920805600:600 920805900:900
1093 rrdtool update seconds2.rrd \
1094 920805000:000 920805300:300 920805603:603 920805900:900
1095 Create output
1097 rrdtool graph seconds1.png \
1099 --start 920804700 --end 920806200 \
1100 --height 200 \
1101 --upper-limit 1.05 --lower-limit 0.95 --rigid \
1102 DEF:seconds=seconds1.rrd:seconds:AVERAGE \
1103 CDEF:unknown=seconds,UN \
1104 LINE2:seconds#0000FF \
1105 AREA:unknown#FF0000
1106 rrdtool graph seconds2.png \
1107 --start 920804700 --end 920806200 \
1108 --height 200 \
1109 --upper-limit 1.05 --lower-limit 0.95 --rigid \
1110 DEF:seconds=seconds2.rrd:seconds:AVERAGE \
1111 CDEF:unknown=seconds,UN \
1112 LINE2:seconds#0000FF \
1113 AREA:unknown#FF0000
1114 View both images together (add them to your index.html file) and com‐
1116 pare. Both graphs should show the same, despite the input being differ‐
1117 ent.
1118
1120 It's time now to wrap up this tutorial. We covered all the basics for
1121 you to be able to work with RRDtool and to read the additional documen‐
1122 tation available. There is plenty more to discover about RRDtool and
1123 you will find more and more uses for this package. You can easly create
1124 graphs using just the examples provided and using only RRDtool. You can
1125 also use one of the front ends to RRDtool that are available.
1126
1128 Remember to subscribe to the RRDtool mailing list. Even if you are not
1129 answering to mails that come by, it helps both you and the rest of the
1130 users. A lot of the stuff that I know about MRTG (and therefore about
1131 RRDtool) I've learned while just reading the list without posting to
1132 it. I did not need to ask the basic questions as they are answered in
1133 the FAQ (read it!) and in various mails by other users. With thousands
1134 of users all over the world, there will always be people who ask ques‐
1135 tions that you can answer because you read this and other documentation
1136 and they didn't.
1137
1139 The RRDtool manpages
1140
1142 I hope you enjoyed the examples and their descriptions. If you do, help
1143 other people by pointing them to this document when they are asking
1144 basic questions. They will not only get their answers, but at the same
1145 time learn a whole lot more.
1146 Alex van den Bogaerdt <alex@ergens.op.het.net>
11481.2.27 2008-02-17 RRDTUTORIAL(1)