1RRDTUTORIAL(1)                      rrdtool                     RRDTUTORIAL(1)
2
3
4

NAME

6       rrdtutorial - Alex van den Bogaerdt's RRDtool tutorial
7

DESCRIPTION

9       RRDtool is written by Tobias Oetiker <tobi@oetiker.ch> with
10       contributions from many people all around the world. This document is
11       written by Alex van den Bogaerdt <alex@vandenbogaerdt.nl> to help you
12       understand what RRDtool is and what it can do for you.
13
14       The documentation provided with RRDtool can be too technical for some
15       people. This tutorial is here to help you understand the basics of
16       RRDtool. It should prepare you to read the documentation yourself.  It
17       also explains the general things about statistics with a focus on
18       networking.
19

TUTORIAL

21   Important
22       Please don't skip ahead in this document!  The first part of this
23       document explains the basics and may be boring.  But if you don't
24       understand the basics, the examples will not be as meaningful to you.
25
26       Sometimes things change.  This example used to provide numbers like
27       "0.04" in stead of "4.00000e-02".  Those are really the same numbers,
28       just written down differently.  Don't be alarmed if a future version of
29       rrdtool displays a slightly different form of output. The examples in
30       this document are correct for version 1.2.0 of RRDtool.
31
32       Also, sometimes bugs do occur. They may also influence the outcome of
33       the examples. Example speed4.png was suffering from this (the handling
34       of unknown data in an if-statement was wrong). Normal data will be just
35       fine (a bug in rrdtool wouldn't last long) but special cases like NaN,
36       INF and so on may last a bit longer.  Try another version if you can,
37       or just live with it.
38
39       I fixed the speed4.png example (and added a note). There may be other
40       examples which suffer from the same or a similar bug.  Try to fix it
41       yourself, which is a great excercise. But please do not submit your
42       result as a fix to the source of this document. Discuss it on the
43       user's list, or write to me.
44
45   What is RRDtool?
46       RRDtool refers to Round Robin Database tool.  Round robin is a
47       technique that works with a fixed amount of data, and a pointer to the
48       current element. Think of a circle with some dots plotted on the edge.
49       These dots are the places where data can be stored. Draw an arrow from
50       the center of the circle to one of the dots; this is the pointer.  When
51       the current data is read or written, the pointer moves to the next
52       element. As we are on a circle there is neither a beginning nor an end,
53       you can go on and on and on. After a while, all the available places
54       will be used and the process automatically reuses old locations. This
55       way, the dataset will not grow in size and therefore requires no
56       maintenance.  RRDtool works with with Round Robin Databases (RRDs). It
57       stores and retrieves data from them.
58
59   What data can be put into an RRD?
60       You name it, it will probably fit as long as it is some sort of time-
61       series data. This means you have to be able to measure some value at
62       several points in time and provide this information to RRDtool. If you
63       can do this, RRDtool will be able to store it. The values must be
64       numerical but don't have to be integers, as is the case with MRTG (the
65       next section will give more details on this more specialized
66       application).
67
68       Many examples below talk about SNMP which is an acronym for Simple
69       Network Management Protocol. "Simple" refers to the protocol. It does
70       not mean it is simple to manage or monitor a network. After working
71       your way through this document, you should know enough to be able to
72       understand what people are talking about. For now, just realize that
73       SNMP can be used to query devices for the values of counters they keep.
74       It is the value from those counters that we want to store in the RRD.
75
76   What can I do with this tool?
77       RRDtool originated from MRTG (Multi Router Traffic Grapher). MRTG
78       started as a tiny little script for graphing the use of a university's
79       connection to the Internet. MRTG was later (ab-)used as a tool for
80       graphing other data sources including temperature, speed, voltage,
81       number of printouts and the like.
82
83       Most likely you will start to use RRDtool to store and process data
84       collected via SNMP. The data will most likely be bytes (or bits)
85       transferred from and to a network or a computer.  But it can also be
86       used to display tidal waves, solar radiation, power consumption, number
87       of visitors at an exhibition, noise levels near an airport, temperature
88       on your favorite holiday location, temperature in the fridge and
89       whatever your imagination can come up with.
90
91       You only need a sensor to measure the data and be able to feed the
92       numbers into RRDtool. RRDtool then lets you create a database, store
93       data in it, retrieve that data and create graphs in PNG format for
94       display on a web browser. Those PNG images are dependent on the data
95       you collected and could be, for instance, an overview of the average
96       network usage, or the peaks that occurred.
97
98   What if I still have problems after reading this document?
99       First of all: read it again! You may have missed something.  If you are
100       unable to compile the sources and you have a fairly common OS, it will
101       probably not be the fault of RRDtool. There may be pre-compiled
102       versions around on the Internet. If they come from trusted sources, get
103       one of those.
104
105       If on the other hand the program works but does not give you the
106       expected results, it will be a problem with configuring it. Review your
107       configuration and compare it with the examples that follow.
108
109       There is a mailing list and an archive of it. Read the list for a few
110       weeks and search the archive. It is considered rude to just ask a
111       question without searching the archives: your problem may already have
112       been solved for somebody else!  This is true for most, if not all,
113       mailing lists and not only for this particular one. Look in the
114       documentation that came with RRDtool for the location and usage of the
115       list.
116
117       I suggest you take a moment to subscribe to the mailing list right now
118       by sending an email to <rrd-users-request@lists.oetiker.ch> with a
119       subject of "subscribe". If you ever want to leave this list, just write
120       an email to the same address but now with a subject of "unsubscribe".
121
122   How will you help me?
123       By giving you some detailed descriptions with detailed examples.  I
124       assume that following the instructions in the order presented will give
125       you enough knowledge of RRDtool to experiment for yourself.  If it
126       doesn't work the first time, don't give up. Reread the stuff that you
127       did understand, you may have missed something.
128
129       By following the examples you get some hands-on experience and, even
130       more important, some background information of how it works.
131
132       You will need to know something about hexadecimal numbers. If you don't
133       then start with reading bin_dec_hex before you continue here.
134
135   Your first Round Robin Database
136       In my opinion the best way to learn something is to actually do it.
137       Why not start right now?  We will create a database, put some values in
138       it and extract this data again.  Your output should be the same as the
139       output that is included in this document.
140
141       We will start with some easy stuff and compare a car with a router, or
142       compare kilometers (miles if you wish) with bits and bytes. It's all
143       the same: some number over some time.
144
145       Assume we have a device that transfers bytes to and from the Internet.
146       This device keeps a counter that starts at zero when it is turned on,
147       increasing with every byte that is transferred. This counter will
148       probably have a maximum value. If this value is reached and an extra
149       byte is counted, the counter starts over at zero. This is the same as
150       many counters in the world such as the mileage counter in a car.
151
152       Most discussions about networking talk about bits per second so lets
153       get used to that right away. Assume a byte is eight bits and start to
154       think in bits not bytes. The counter, however, still counts bytes!  In
155       the SNMP world most of the counters are 32 bits. That means they are
156       counting from 0 to 4294967295. We will use these values in the
157       examples.  The device, when asked, returns the current value of the
158       counter. We know the time that has passes since we last asked so we now
159       know how many bytes have been transferred ***on average*** per second.
160       This is not very hard to calculate. First in words, then in
161       calculations:
162
163       1. Take the current counter, subtract the previous value from it.
164
165       2. Do the same with the current time and the previous time (in
166          seconds).
167
168       3. Divide the outcome of (1) by the outcome of (2), the result is the
169          amount of bytes per second. Multiply by eight to get the number of
170          bits per second (bps).
171
172         bps = (counter_now - counter_before) / (time_now - time_before) * 8
173
174       For some people it may help to translate this to an automobile example.
175       Do not try this example, and if you do, don't blame me for the results!
176
177       People who are not used to think in kilometers per hour can translate
178       most into miles per hour by dividing km by 1.6 (close enough).  I will
179       use the following abbreviations:
180
181        m:    meter
182        km:   kilometer (= 1000 meters).
183        h:    hour
184        s:    second
185        km/h: kilometers per hour
186        m/s:  meters per second
187
188       You are driving a car. At 12:05 you read the counter in the dashboard
189       and it tells you that the car has moved 12345 km until that moment.  At
190       12:10 you look again, it reads 12357 km. This means you have traveled
191       12 km in five minutes. A scientist would translate that into meters per
192       second and this makes a nice comparison toward the problem of (bytes
193       per five minutes) versus (bits per second).
194
195       We traveled 12 kilometers which is 12000 meters. We did that in five
196       minutes or 300 seconds. Our speed is 12000m / 300s or 40 m/s.
197
198       We could also calculate the speed in km/h: 12 times 5 minutes is an
199       hour, so we have to multiply 12 km by 12 to get 144 km/h.  For our
200       native English speaking friends: that's 90 mph so don't try this
201       example at home or where I live :)
202
203       Remember: these numbers are averages only.  There is no way to figure
204       out from the numbers, if you drove at a constant speed.  There is an
205       example later on in this tutorial that explains this.
206
207       I hope you understand that there is no difference in calculating m/s or
208       bps; only the way we collect the data is different. Even the k from
209       kilo is the same as in networking terms k also means 1000.
210
211       We will now create a database where we can keep all these interesting
212       numbers. The method used to start the program may differ slightly from
213       OS to OS, but I assume you can figure it out if it works different on
214       your's. Make sure you do not overwrite any file on your system when
215       executing the following command and type the whole line as one long
216       line (I had to split it for readability) and skip all of the '\'
217       characters.
218
219          rrdtool create test.rrd             \
220                   --start 920804400          \
221                   DS:speed:COUNTER:600:U:U   \
222                   RRA:AVERAGE:0.5:1:24       \
223                   RRA:AVERAGE:0.5:6:10
224
225       (So enter: "rrdtool create test.rrd --start 920804400 DS ...")
226
227   What has been created?
228       We created the round robin database called test (test.rrd) which starts
229       at noon the day I started writing this document, 7th of March, 1999
230       (this date translates to 920804400 seconds as explained below). Our
231       database holds one data source (DS) named "speed" that represents a
232       counter. This counter is read every five minutes (this is the default
233       therefore you don't have to put "--step=300").  In the same database
234       two round robin archives (RRAs) are kept, one averages the data every
235       time it is read (e.g., there's nothing to average) and keeps 24 samples
236       (24 times 5 minutes is 2 hours). The other averages 6 values (half
237       hour) and contains 10 such averages (e.g. 5 hours).
238
239       RRDtool works with special time stamps coming from the UNIX world.
240       This time stamp is the number of seconds that passed since January 1st
241       1970 UTC.  The time stamp value is translated into local time and it
242       will therefore look different for different time zones.
243
244       Chances are that you are not in the same part of the world as I am.
245       This means your time zone is different. In all examples where I talk
246       about time, the hours may be wrong for you. This has little effect on
247       the results of the examples, just correct the hours while reading.  As
248       an example: where I will see "12:05" the UK folks will see "11:05".
249
250       We now have to fill our database with some numbers. We'll pretend to
251       have read the following numbers:
252
253        12:05  12345 km
254        12:10  12357 km
255        12:15  12363 km
256        12:20  12363 km
257        12:25  12363 km
258        12:30  12373 km
259        12:35  12383 km
260        12:40  12393 km
261        12:45  12399 km
262        12:50  12405 km
263        12:55  12411 km
264        13:00  12415 km
265        13:05  12420 km
266        13:10  12422 km
267        13:15  12423 km
268
269       We fill the database as follows:
270
271        rrdtool update test.rrd 920804700:12345 920805000:12357 920805300:12363
272        rrdtool update test.rrd 920805600:12363 920805900:12363 920806200:12373
273        rrdtool update test.rrd 920806500:12383 920806800:12393 920807100:12399
274        rrdtool update test.rrd 920807400:12405 920807700:12411 920808000:12415
275        rrdtool update test.rrd 920808300:12420 920808600:12422 920808900:12423
276
277       This reads: update our test database with the following numbers
278
279        time 920804700, value 12345
280        time 920805000, value 12357
281
282       etcetera.
283
284       As you can see, it is possible to feed more than one value into the
285       database in one command. I had to stop at three for readability but the
286       real maximum per line is OS dependent.
287
288       We can now retrieve the data from our database using "rrdtool fetch":
289
290        rrdtool fetch test.rrd AVERAGE --start 920804400 --end 920809200
291
292       It should return the following output:
293
294                                 speed
295
296        920804700: nan
297        920805000: 4.0000000000e-02
298        920805300: 2.0000000000e-02
299        920805600: 0.0000000000e+00
300        920805900: 0.0000000000e+00
301        920806200: 3.3333333333e-02
302        920806500: 3.3333333333e-02
303        920806800: 3.3333333333e-02
304        920807100: 2.0000000000e-02
305        920807400: 2.0000000000e-02
306        920807700: 2.0000000000e-02
307        920808000: 1.3333333333e-02
308        920808300: 1.6666666667e-02
309        920808600: 6.6666666667e-03
310        920808900: 3.3333333333e-03
311        920809200: nan
312
313       If it doesn't, something may be wrong.  Perhaps your OS will print
314       "NaN" in a different form. "NaN" stands for "Not A Number".  If your OS
315       writes "U" or "UNKN" or something similar that's okay.  If something
316       else is wrong, it will probably be due to an error you made (assuming
317       that my tutorial is correct of course :-). In that case: delete the
318       database and try again.
319
320       The meaning of the above output will become clear below.
321
322   Time to create some graphics
323       Try the following command:
324
325        rrdtool graph speed.png                                 \
326                --start 920804400 --end 920808000               \
327                DEF:myspeed=test.rrd:speed:AVERAGE              \
328                LINE2:myspeed#FF0000
329
330       This will create speed.png which starts at 12:00 and ends at 13:00.
331       There is a definition of a variable called myspeed, using the data from
332       RRA "speed" out of database "test.rrd". The line drawn is 2 pixels high
333       and represents the variable myspeed. The color is red (specified by its
334       rgb-representation, see below).
335
336       You'll notice that the start of the graph is not at 12:00 but at 12:05.
337       This is because we have insufficient data to tell the average before
338       that time. This will only happen when you miss some samples, this will
339       not happen a lot, hopefully.
340
341       If this has worked: congratulations! If not, check what went wrong.
342
343       The colors are built up from red, green and blue. For each of the
344       components, you specify how much to use in hexadecimal where 00 means
345       not included and FF means fully included.  The "color" white is a
346       mixture of red, green and blue: FFFFFF The "color" black is all colors
347       off: 000000
348
349          red     #FF0000
350          green   #00FF00
351          blue    #0000FF
352          magenta #FF00FF     (mixed red with blue)
353          gray    #555555     (one third of all components)
354
355       Additionally you can (with a recent RRDtool)  add an alpha channel
356       (transparency).  The default will be "FF" which means non-transparent.
357
358       The PNG you just created can be displayed using your favorite image
359       viewer.  Web browsers will display the PNG via the URL
360       "file:///the/path/to/speed.png"
361
362   Graphics with some math
363       When looking at the image, you notice that the horizontal axis is
364       labeled 12:10, 12:20, 12:30, 12:40 and 12:50. Sometimes a label doesn't
365       fit (12:00 and 13:00 would be likely candidates) so they are skipped.
366
367       The vertical axis displays the range we entered. We provided kilometers
368       and when divided by 300 seconds, we get very small numbers. To be
369       exact, the first value was 12 (12357-12345) and divided by 300 this
370       makes 0.04, which is displayed by RRDtool as "40 m" meaning "40/1000".
371       The "m" (milli) has nothing to do with meters (also m), kilometers or
372       millimeters! RRDtool doesn't know about the physical units of our data,
373       it just works with dimensionless numbers.
374
375       If we had measured our distances in meters, this would have been
376       (12357000-12345000)/300 = 12000/300 = 40.
377
378       As most people have a better feel for numbers in this range, we'll
379       correct that. We could recreate our database and store the correct
380       data, but there is a better way: we do some calculations while creating
381       the png file!
382
383          rrdtool graph speed2.png                           \
384             --start 920804400 --end 920808000               \
385             --vertical-label m/s                            \
386             DEF:myspeed=test.rrd:speed:AVERAGE              \
387             CDEF:realspeed=myspeed,1000,\*                  \
388             LINE2:realspeed#FF0000
389
390       Note: I need to escape the multiplication operator * with a backslash.
391       If I don't, the operating system may interpret it and use it for file
392       name expansion. You could also place the line within quotation marks
393       like so:
394
395             "CDEF:realspeed=myspeed,1000,*"                  \
396
397       It boils down to: it is RRDtool which should see *, not your shell.
398       And it is your shell interpreting \, not RRDtool. You may need to
399       adjust examples accordingly if you happen to use an operating system or
400       shell which behaves differently.
401
402       After viewing this PNG, you notice the "m" (milli) has disappeared.
403       This it what the correct result would be. Also, a label has been added
404       to the image.  Apart from the things mentioned above, the PNG should
405       look the same.
406
407       The calculations are specified in the CDEF part above and are in
408       Reverse Polish Notation ("RPN"). What we requested RRDtool to do is:
409       "take the data source myspeed and the number 1000; multiply those".
410       Don't bother with RPN yet, it will be explained later on in more
411       detail. Also, you may want to read my tutorial on CDEFs and Steve
412       Rader's tutorial on RPN. But first finish this tutorial.
413
414       Hang on! If we can multiply values with 1000, it should also be
415       possible to display kilometers per hour from the same data!
416
417       To change a value that is measured in meters per second:
418
419        Calculate meters per hour:     value * 3600
420        Calculate kilometers per hour: value / 1000
421        Together this makes:           value * (3600/1000) or value * 3.6
422
423       In our example database we made a mistake and we need to compensate for
424       this by multiplying with 1000. Applying that correction:
425
426        value * 3.6  * 1000 == value * 3600
427
428       Now let's create this PNG, and add some more magic ...
429
430        rrdtool graph speed3.png                             \
431             --start 920804400 --end 920808000               \
432             --vertical-label km/h                           \
433             DEF:myspeed=test.rrd:speed:AVERAGE              \
434             "CDEF:kmh=myspeed,3600,*"                       \
435             CDEF:fast=kmh,100,GT,kmh,0,IF                   \
436             CDEF:good=kmh,100,GT,0,kmh,IF                   \
437             HRULE:100#0000FF:"Maximum allowed"              \
438             AREA:good#00FF00:"Good speed"                   \
439             AREA:fast#FF0000:"Too fast"
440
441       Note: here we use another means to escape the * operator by enclosing
442       the whole string in double quotes.
443
444       This graph looks much better. Speed is shown in km/h and there is even
445       an extra line with the maximum allowed speed (on the road I travel on).
446       I also changed the colors used to display speed and changed it from a
447       line into an area.
448
449       The calculations are more complex now. For speed measurements within
450       the speed limit they are:
451
452          Check if kmh is greater than 100    ( kmh,100 ) GT
453          If so, return 0, else kmh           ((( kmh,100 ) GT ), 0, kmh) IF
454
455       For values above the speed limit:
456
457          Check if kmh is greater than 100    ( kmh,100 ) GT
458          If so, return kmh, else return 0    ((( kmh,100) GT ), kmh, 0) IF
459
460   Graphics Magic
461       I like to believe there are virtually no limits to how RRDtool graph
462       can manipulate data. I will not explain how it works, but look at the
463       following PNG:
464
465          rrdtool graph speed4.png                           \
466             --start 920804400 --end 920808000               \
467             --vertical-label km/h                           \
468             DEF:myspeed=test.rrd:speed:AVERAGE              \
469             CDEF:nonans=myspeed,UN,0,myspeed,IF             \
470             CDEF:kmh=nonans,3600,*                          \
471             CDEF:fast=kmh,100,GT,100,0,IF                   \
472             CDEF:over=kmh,100,GT,kmh,100,-,0,IF             \
473             CDEF:good=kmh,100,GT,0,kmh,IF                   \
474             HRULE:100#0000FF:"Maximum allowed"              \
475             AREA:good#00FF00:"Good speed"                   \
476             AREA:fast#550000:"Too fast"                     \
477             STACK:over#FF0000:"Over speed"
478
479       Remember the note in the beginning?  I had to remove unknown data from
480       this example. The 'nonans' CDEF is new, and the 6th line (which used to
481       be the 5th line) used to read 'CDEF:kmh=myspeed,3600,*'
482
483       Let's create a quick and dirty HTML page to view the three PNGs:
484
485          <HTML><HEAD><TITLE>Speed</TITLE></HEAD><BODY>
486          <IMG src="speed2.png" alt="Speed in meters per second">
487          <BR>
488          <IMG src="speed3.png" alt="Speed in kilometers per hour">
489          <BR>
490          <IMG src="speed4.png" alt="Traveled too fast?">
491          </BODY></HTML>
492
493       Name the file "speed.html" or similar, and look at it in your web
494       browser.
495
496       Now, all you have to do is measure the values regularly and update the
497       database.  When you want to view the data, recreate the PNGs and make
498       sure to refresh them in your browser. (Note: just clicking reload may
499       not be enough, especially when proxies are involved.  Try shift-reload
500       or ctrl-F5).
501
502   Updates in Reality
503       We've already used the "update" command: it took one or more parameters
504       in the form of "<time>:<value>". You'll be glad to know that you can
505       specify the current time by filling in a "N" as the time.  Or you could
506       use the "time" function in Perl (the shortest example in this
507       tutorial):
508
509          perl -e 'print time, "\n" '
510
511       How to run a program on regular intervals is OS specific. But here is
512       an example in pseudo code:
513
514          - Get the value and put it in variable "$speed"
515          - rrdtool update speed.rrd N:$speed
516
517       (do not try this with our test database, we'll use it in further
518       examples)
519
520       This is all. Run the above script every five minutes. When you need to
521       know what the graphs look like, run the examples above. You could put
522       them in a script as well. After running that script, view the page
523       index.html we created above.
524
525   Some words on SNMP
526       I can imagine very few people that will be able to get real data from
527       their car every five minutes. All other people will have to settle for
528       some other kind of counter. You could measure the number of pages
529       printed by a printer, for example, the cups of coffee made by the
530       coffee machine, a device that counts the electricity used, whatever.
531       Any incrementing counter can be monitored and graphed using the stuff
532       you learned so far. Later on we will also be able to monitor other
533       types of values like temperature.
534
535       Many people interested in RRDtool will use the counter that keeps track
536       of octets (bytes) transferred by a network device. So let's do just
537       that next. We will start with a description of how to collect data.
538
539       Some people will make a remark that there are tools which can do this
540       data collection for you. They are right! However, I feel it is
541       important that you understand they are not necessary. When you have to
542       determine why things went wrong you need to know how they work.
543
544       One tool used in the example has been talked about very briefly in the
545       beginning of this document, it is called SNMP. It is a way of talking
546       to networked equipment. The tool I use below is called "snmpget" and
547       this is how it works:
548
549          snmpget device password OID
550
551       or
552
553          snmpget -v[version] -c[password] device OID
554
555       For device you substitute the name, or the IP address, of your device.
556       For password you use the "community read string" as it is called in the
557       SNMP world.  For some devices the default of "public" might work,
558       however this can be disabled, altered or protected for privacy and
559       security reasons.  Read the documentation that comes with your device
560       or program.
561
562       Then there is this parameter, called OID, which means "object
563       identifier".
564
565       When you start to learn about SNMP it looks very confusing. It isn't
566       all that difficult when you look at the Management Information Base
567       ("MIB").  It is an upside-down tree that describes data, with a single
568       node as the root and from there a number of branches.  These branches
569       end up in another node, they branch out, etc.  All the branches have a
570       name and they form the path that we follow all the way down.  The
571       branches that we follow are named: iso, org, dod, internet, mgmt and
572       mib-2.  These names can also be written down as numbers and are 1 3 6 1
573       2 1.
574
575          iso.org.dod.internet.mgmt.mib-2 (1.3.6.1.2.1)
576
577       There is a lot of confusion about the leading dot that some programs
578       use.  There is *no* leading dot in an OID.  However, some programs can
579       use the above part of OIDs as a default.  To indicate the difference
580       between abbreviated OIDs and full OIDs they need a leading dot when you
581       specify the complete OID.  Often those programs will leave out the
582       default portion when returning the data to you.  To make things worse,
583       they have several default prefixes ...
584
585       Ok, lets continue to the start of our OID: we had 1.3.6.1.2.1 From
586       there, we are especially interested in the branch "interfaces" which
587       has number 2 (e.g., 1.3.6.1.2.1.2 or 1.3.6.1.2.1.interfaces).
588
589       First, we have to get some SNMP program. First look if there is a pre-
590       compiled package available for your OS. This is the preferred way.  If
591       not, you will have to get the sources yourself and compile those.  The
592       Internet is full of sources, programs etc. Find information using a
593       search engine or whatever you prefer.
594
595       Assume you got the program. First try to collect some data that is
596       available on most systems. Remember: there is a short name for the part
597       of the tree that interests us most in the world we live in!
598
599       I will give an example which can be used on Fedora Core 3.  If it
600       doesn't work for you, work your way through the manual of snmp and
601       adapt the example to make it work.
602
603          snmpget -v2c -c public myrouter system.sysDescr.0
604
605       The device should answer with a description of itself, perhaps an empty
606       one. Until you got a valid answer from a device, perhaps using a
607       different "password", or a different device, there is no point in
608       continuing.
609
610          snmpget -v2c -c public myrouter interfaces.ifNumber.0
611
612       Hopefully you get a number as a result, the number of interfaces.  If
613       so, you can carry on and try a different program called "snmpwalk".
614
615          snmpwalk -v2c -c public myrouter interfaces.ifTable.ifEntry.ifDescr
616
617       If it returns with a list of interfaces, you're almost there.  Here's
618       an example:
619          [user@host /home/alex]$ snmpwalk -v2c -c public cisco 2.2.1.2
620
621          interfaces.ifTable.ifEntry.ifDescr.1 = "BRI0: B-Channel 1"
622          interfaces.ifTable.ifEntry.ifDescr.2 = "BRI0: B-Channel 2"
623          interfaces.ifTable.ifEntry.ifDescr.3 = "BRI0" Hex: 42 52 49 30
624          interfaces.ifTable.ifEntry.ifDescr.4 = "Ethernet0"
625          interfaces.ifTable.ifEntry.ifDescr.5 = "Loopback0"
626
627       On this cisco equipment, I would like to monitor the "Ethernet0"
628       interface and from the above output I see that it is number four. I
629       try:
630
631          [user@host /home/alex]$ snmpget -v2c -c public cisco 2.2.1.10.4 2.2.1.16.4
632
633          interfaces.ifTable.ifEntry.ifInOctets.4 = 2290729126
634          interfaces.ifTable.ifEntry.ifOutOctets.4 = 1256486519
635
636       So now I have two OIDs to monitor and they are (in full, this time):
637
638          1.3.6.1.2.1.2.2.1.10
639
640       and
641
642          1.3.6.1.2.1.2.2.1.16
643
644       both with an interface number of 4.
645
646       Don't get fooled, this wasn't my first try. It took some time for me
647       too to understand what all these numbers mean. It does help a lot when
648       they get translated into descriptive text... At least, when people are
649       talking about MIBs and OIDs you know what it's all about.  Do not
650       forget the interface number (0 if it is not interface dependent) and
651       try snmpwalk if you don't get an answer from snmpget.
652
653       If you understand the above section and get numbers from your device,
654       continue on with this tutorial. If not, then go back and re-read this
655       part.
656
657   A Real World Example
658       Let the fun begin. First, create a new database. It contains data from
659       two counters, called input and output. The data is put into archives
660       that average it. They take 1, 6, 24 or 288 samples at a time.  They
661       also go into archives that keep the maximum numbers. This will be
662       explained later on. The time in-between samples is 300 seconds, a good
663       starting point, which is the same as five minutes.
664
665        1 sample "averaged" stays 1 period of 5 minutes
666        6 samples averaged become one average on 30 minutes
667        24 samples averaged become one average on 2 hours
668        288 samples averaged become one average on 1 day
669
670       Lets try to be compatible with MRTG which stores about the following
671       amount of data:
672
673        600 5-minute samples:    2   days and 2 hours
674        600 30-minute samples:  12.5 days
675        600 2-hour samples:     50   days
676        732 1-day samples:     732   days
677
678       These ranges are appended, so the total amount of data stored in the
679       database is approximately 797 days. RRDtool stores the data
680       differently, it doesn't start the "weekly" archive where the "daily"
681       archive stopped. For both archives the most recent data will be near
682       "now" and therefore we will need to keep more data than MRTG does!
683
684       We will need:
685
686        600 samples of 5 minutes  (2 days and 2 hours)
687        700 samples of 30 minutes (2 days and 2 hours, plus 12.5 days)
688        775 samples of 2 hours    (above + 50 days)
689        797 samples of 1 day      (above + 732 days, rounded up to 797)
690
691          rrdtool create myrouter.rrd         \
692                   DS:input:COUNTER:600:U:U   \
693                   DS:output:COUNTER:600:U:U  \
694                   RRA:AVERAGE:0.5:1:600      \
695                   RRA:AVERAGE:0.5:6:700      \
696                   RRA:AVERAGE:0.5:24:775     \
697                   RRA:AVERAGE:0.5:288:797    \
698                   RRA:MAX:0.5:1:600          \
699                   RRA:MAX:0.5:6:700          \
700                   RRA:MAX:0.5:24:775         \
701                   RRA:MAX:0.5:288:797
702
703       Next thing to do is to collect data and store it. Here is an example.
704       It is written partially in pseudo code,  you will have to find out what
705       to do exactly on your OS to make it work.
706
707          while not the end of the universe
708          do
709             get result of
710                snmpget router community 2.2.1.10.4
711             into variable $in
712             get result of
713                snmpget router community 2.2.1.16.4
714             into variable $out
715
716             rrdtool update myrouter.rrd N:$in:$out
717
718             wait for 5 minutes
719          done
720
721       Then, after collecting data for a day, try to create an image using:
722
723          rrdtool graph myrouter-day.png --start -86400 \
724                   DEF:inoctets=myrouter.rrd:input:AVERAGE \
725                   DEF:outoctets=myrouter.rrd:output:AVERAGE \
726                   AREA:inoctets#00FF00:"In traffic" \
727                   LINE1:outoctets#0000FF:"Out traffic"
728
729       This should produce a picture with one day worth of traffic.  One day
730       is 24 hours of 60 minutes of 60 seconds: 24*60*60=86400, we start at
731       now minus 86400 seconds. We define (with DEFs) inoctets and outoctets
732       as the average values from the database myrouter.rrd and draw an area
733       for the "in" traffic and a line for the "out" traffic.
734
735       View the image and keep logging data for a few more days.  If you like,
736       you could try the examples from the test database and see if you can
737       get various options and calculations to work.
738
739       Suggestion: Display in bytes per second and in bits per second. Make
740       the Ethernet graphics go red if they are over four megabits per second.
741
742   Consolidation Functions
743       A few paragraphs back I mentioned the possibility of keeping the
744       maximum values instead of the average values. Let's go into this a bit
745       more.
746
747       Recall all the stuff about the speed of the car. Suppose we drove at
748       144 km/h during 5 minutes and then were stopped by the police for 25
749       minutes.  At the end of the lecture we would take our laptop and create
750       and view the image taken from the database. If we look at the second
751       RRA we did create, we would have the average from 6 samples. The
752       samples measured would be 144+0+0+0+0+0=144, divided by 30 minutes,
753       corrected for the error by 1000, translated into km/h, with a result of
754       24 km/h.  I would still get a ticket but not for speeding anymore :)
755
756       Obviously, in this case we shouldn't look at the averages. In some
757       cases they are handy. If you want to know how many km you had traveled,
758       the averaged picture would be the right one to look at. On the other
759       hand, for the speed that we traveled at, the maximum numbers seen is
760       much more interesting. Later we will see more types.
761
762       It is the same for data. If you want to know the amount, look at the
763       averages. If you want to know the rate, look at the maximum.  Over
764       time, they will grow apart more and more. In the last database we have
765       created, there are two archives that keep data per day. The archive
766       that keeps averages will show low numbers, the archive that shows
767       maxima will have higher numbers.
768
769       For my car this would translate in averages per day of 96/24=4 km/h (as
770       I travel about 94 kilometers on a day) during working days, and maxima
771       of 120 km/h (my top speed that I reach every day).
772
773       Big difference. Do not look at the second graph to estimate the
774       distances that I travel and do not look at the first graph to estimate
775       my speed. This will work if the samples are close together, as they are
776       in five minutes, but not if you average.
777
778       On some days, I go for a long ride. If I go across Europe and travel
779       for 12 hours, the first graph will rise to about 60 km/h. The second
780       one will show 180 km/h. This means that I traveled a distance of 60
781       km/h times 24 h = 1440 km. I did this with a higher speed and a maximum
782       around 180 km/h. However, it probably doesn't mean that I traveled for
783       8 hours at a constant speed of 180 km/h!
784
785       This is a real example: go with the flow through Germany (fast!) and
786       stop a few times for gas and coffee. Drive slowly through Austria and
787       the Netherlands. Be careful in the mountains and villages. If you would
788       look at the graphs created from the five-minute averages you would get
789       a totally different picture. You would see the same values on the
790       average and maximum graphs (provided I measured every 300 seconds).
791       You would be able to see when I stopped, when I was in top gear, when I
792       drove over fast highways etc. The granularity of the data is much
793       higher, so you can see more. However, this takes 12 samples per hour,
794       or 288 values per day, so it would be a lot of data over a longer
795       period of time. Therefore we average it, eventually to one value per
796       day. From this one value, we cannot see much detail, of course.
797
798       Make sure you understand the last few paragraphs. There is no value in
799       only a line and a few axis, you need to know what they mean and
800       interpret the data in an appropriate way. This is true for all data.
801
802       The biggest mistake you can make is to use the collected data for
803       something that it is not suitable for. You would be better off if you
804       didn't have the graph at all.
805
806   Let's review what you now should know
807       You know how to create a database and can put data in it. You can get
808       the numbers out again by creating an image, do math on the data from
809       the database and view the result instead of the raw data.  You know
810       about the difference between averages and maximum, and when to use
811       which (or at least you should have an idea).
812
813       RRDtool can do more than what we have learned up to now. Before you
814       continue with the rest of this doc, I recommend that you reread from
815       the start and try some modifications on the examples. Make sure you
816       fully understand everything. It will be worth the effort and helps you
817       not only with the rest of this tutorial, but also in your day to day
818       monitoring long after you read this introduction.
819
820   Data Source Types
821       All right, you feel like continuing. Welcome back and get ready for an
822       increased speed in the examples and explanations.
823
824       You know that in order to view a counter over time, you have to take
825       two numbers and divide the difference of them between the time lapsed.
826       This makes sense for the examples I gave you but there are other
827       possibilities.  For instance, I'm able to retrieve the temperature from
828       my router in three places namely the inlet, the so called hot-spot and
829       the exhaust.  These values are not counters.  If I take the difference
830       of the two samples and divide that by 300 seconds I would be asking for
831       the temperature change per second.  Hopefully this is zero! If not, the
832       computer room is probably on fire :)
833
834       So, what can we do?  We can tell RRDtool to store the values we measure
835       directly as they are (this is not entirely true but close enough). The
836       graphs we make will look much better, they will show a rather constant
837       value. I know when the router is busy (it works -> it uses more
838       electricity -> it generates more heat -> the temperature rises). I know
839       when the doors are left open (the room is air conditioned) -> the warm
840       air from the rest of the building flows into the computer room -> the
841       inlet temperature rises). Etc. The data type we use when creating the
842       database before was counter, we now have a different data type and thus
843       a different name for it. It is called GAUGE. There are more such data
844       types:
845
846        - COUNTER   we already know this one
847        - GAUGE     we just learned this one
848        - DERIVE
849        - ABSOLUTE
850
851       The two additional types are DERIVE and ABSOLUTE. Absolute can be used
852       like counter with one difference: RRDtool assumes the counter is reset
853       when it's read. That is: its delta is known without calculation by
854       RRDtool whereas RRDtool needs to calculate it for the counter type.
855       Example: our first example (12345, 12357, 12363, 12363) would read:
856       unknown, 12, 6, 0. The rest of the calculations stay the same.  The
857       other one, derive, is like counter. Unlike counter, it can also
858       decrease so it can have a negative delta. Again, the rest of the
859       calculations stay the same.
860
861       Let's try them all:
862
863          rrdtool create all.rrd --start 978300900 \
864                   DS:a:COUNTER:600:U:U \
865                   DS:b:GAUGE:600:U:U \
866                   DS:c:DERIVE:600:U:U \
867                   DS:d:ABSOLUTE:600:U:U \
868                   RRA:AVERAGE:0.5:1:10
869          rrdtool update all.rrd \
870                   978301200:300:1:600:300    \
871                   978301500:600:3:1200:600   \
872                   978301800:900:5:1800:900   \
873                   978302100:1200:3:2400:1200 \
874                   978302400:1500:1:2400:1500 \
875                   978302700:1800:2:1800:1800 \
876                   978303000:2100:4:0:2100    \
877                   978303300:2400:6:600:2400  \
878                   978303600:2700:4:600:2700  \
879                   978303900:3000:2:1200:3000
880          rrdtool graph all1.png -s 978300600 -e 978304200 -h 400 \
881                   DEF:linea=all.rrd:a:AVERAGE LINE3:linea#FF0000:"Line A" \
882                   DEF:lineb=all.rrd:b:AVERAGE LINE3:lineb#00FF00:"Line B" \
883                   DEF:linec=all.rrd:c:AVERAGE LINE3:linec#0000FF:"Line C" \
884                   DEF:lined=all.rrd:d:AVERAGE LINE3:lined#000000:"Line D"
885
886   RRDtool under the Microscope
887       · Line A is a COUNTER type, so it should continuously increment and
888         RRDtool must calculate the differences. Also, RRDtool needs to divide
889         the difference by the amount of time lapsed. This should end up as a
890         straight line at 1 (the deltas are 300, the time is 300).
891
892       · Line B is of type GAUGE. These are "real" values so they should match
893         what we put in: a sort of a wave.
894
895       · Line C is of type DERIVE. It should be a counter that can decrease.
896         It does so between 2400 and 0, with 1800 in-between.
897
898       · Line D is of type ABSOLUTE. This is like counter but it works on
899         values without calculating the difference. The numbers are the same
900         and as you can see (hopefully) this has a different result.
901
902       This translates in the following values, starting at 23:10 and ending
903       at 00:10 the next day (where "u" means unknown/unplotted):
904
905        - Line A:  u  u  1  1  1  1  1  1  1  1  1  u
906        - Line B:  u  1  3  5  3  1  2  4  6  4  2  u
907        - Line C:  u  u  2  2  2  0 -2 -6  2  0  2  u
908        - Line D:  u  1  2  3  4  5  6  7  8  9 10  u
909
910       If your PNG shows all this, you know you have entered the data
911       correctly, the RRDtool executable is working properly, your viewer
912       doesn't fool you, and you successfully entered the year 2000 :)
913
914       You could try the same example four times, each time with only one of
915       the lines.
916
917       Let's go over the data again:
918
919       · Line A: 300,600,900 and so on. The counter delta is a constant 300
920         and so is the time delta. A number divided by itself is always 1
921         (except when dividing by zero which is undefined/illegal).
922
923         Why is it that the first point is unknown? We do know what we put
924         into the database, right? True, But we didn't have a value to
925         calculate the delta from, so we don't know where we started. It would
926         be wrong to assume we started at zero so we don't!
927
928       · Line B: There is nothing to calculate. The numbers are as they are.
929
930       · Line C: Again, the start-out value is unknown. The same story is
931         holds as for line A. In this case the deltas are not constant,
932         therefore the line is not either. If we would put the same numbers in
933         the database as we did for line A, we would have gotten the same
934         line. Unlike type counter, this type can decrease and I hope to show
935         you later on why this makes a difference.
936
937       · Line D: Here the device calculates the deltas. Therefore we DO know
938         the first delta and it is plotted. We had the same input as with line
939         A, but the meaning of this input is different and thus the line is
940         different.  In this case the deltas increase each time with 300. The
941         time delta stays at a constant 300 and therefore the division of the
942         two gives increasing values.
943
944   Counter Wraps
945       There are a few more basics to show. Some important options are still
946       to be covered and we haven't look at counter wraps yet. First the
947       counter wrap: In our car we notice that the counter shows 999987. We
948       travel 20 km and the counter should go to 1000007. Unfortunately, there
949       are only six digits on our counter so it really shows 000007. If we
950       would plot that on a type DERIVE, it would mean that the counter was
951       set back 999980 km. It wasn't, and there has to be some protection for
952       this. This protection is only available for type COUNTER which should
953       be used for this kind of counter anyways. How does it work? Type
954       counter should never decrease and therefore RRDtool must assume it
955       wrapped if it does decrease!  If the delta is negative, this can be
956       compensated for by adding the maximum value of the counter + 1. For our
957       car this would be:
958
959        Delta = 7 - 999987 = -999980    (instead of 1000007-999987=20)
960
961        Real delta = -999980 + 999999 + 1 = 20
962
963       At the time of writing this document, RRDtool knows of counters that
964       are either 32 bits or 64 bits of size. These counters can handle the
965       following different values:
966
967        - 32 bits: 0 ..           4294967295
968        - 64 bits: 0 .. 18446744073709551615
969
970       If these numbers look strange to you, you can view them in their
971       hexadecimal form:
972
973        - 32 bits: 0 ..         FFFFFFFF
974        - 64 bits: 0 .. FFFFFFFFFFFFFFFF
975
976       RRDtool handles both counters the same. If an overflow occurs and the
977       delta would be negative, RRDtool first adds the maximum of a small
978       counter + 1 to the delta. If the delta is still negative, it had to be
979       the large counter that wrapped. Add the maximum possible value of the
980       large counter + 1 and subtract the erroneously added small value.
981
982       There is a risk in this: suppose the large counter wrapped while adding
983       a huge delta, it could happen, theoretically, that adding the smaller
984       value would make the delta positive. In this unlikely case the results
985       would not be correct. The increase should be nearly as high as the
986       maximum counter value for that to happen, so chances are you would have
987       several other problems as well and this particular problem would not
988       even be worth thinking about. Even though, I did include an example, so
989       you can judge for yourself.
990
991       The next section gives you some numerical examples for counter-wraps.
992       Try to do the calculations yourself or just believe me if your
993       calculator can't handle the numbers :)
994
995       Correction numbers:
996
997        - 32 bits: (4294967295 + 1) =                                4294967296
998        - 64 bits: (18446744073709551615 + 1)
999                                           - correction1 = 18446744069414584320
1000
1001        Before:        4294967200
1002        Increase:                100
1003        Should become: 4294967300
1004        But really is:             4
1005        Delta:        -4294967196
1006        Correction1:  -4294967196 + 4294967296 = 100
1007
1008        Before:        18446744073709551000
1009        Increase:                             800
1010        Should become: 18446744073709551800
1011        But really is:                        184
1012        Delta:        -18446744073709550816
1013        Correction1:  -18446744073709550816
1014                                       + 4294967296 = -18446744069414583520
1015        Correction2:  -18446744069414583520
1016                          + 18446744069414584320 = 800
1017
1018        Before:        18446744073709551615 ( maximum value )
1019        Increase:      18446744069414584320 ( absurd increase, minimum for
1020        Should become: 36893488143124135935             this example to work )
1021        But really is: 18446744069414584319
1022        Delta:                     -4294967296
1023        Correction1:  -4294967296 + 4294967296 = 0
1024        (not negative -> no correction2)
1025
1026        Before:        18446744073709551615 ( maximum value )
1027        Increase:      18446744069414584319 ( one less increase )
1028        Should become: 36893488143124135934
1029        But really is: 18446744069414584318
1030        Delta:                     -4294967297
1031        Correction1:  -4294967297 + 4294967296 = -1
1032        Correction2:  -1 + 18446744069414584320 = 18446744069414584319
1033
1034       As you can see from the last two examples, you need strange numbers for
1035       RRDtool to fail (provided it's bug free of course), so this should not
1036       happen. However, SNMP or whatever method you choose to collect the
1037       data, might also report wrong numbers occasionally.  We can't prevent
1038       all errors, but there are some things we can do. The RRDtool "create"
1039       command takes two special parameters for this. They define the minimum
1040       and maximum allowed values. Until now, we used "U", meaning "unknown".
1041       If you provide values for one or both of them and if RRDtool receives
1042       data points that are outside these limits, it will ignore those values.
1043       For a thermometer in degrees Celsius, the absolute minimum is just
1044       under -273. For my router, I can assume this minimum is much higher so
1045       I would set it to 10, where as the maximum temperature I would set to
1046       80. Any higher and the device would be out of order.
1047
1048       For the speed of my car, I would never expect negative numbers and also
1049       I would not expect a speed  higher than 230. Anything else, and there
1050       must have been an error. Remember: the opposite is not true, if the
1051       numbers pass this check, it doesn't mean that they are correct. Always
1052       judge the graph with a healthy dose of suspicion if it seems weird to
1053       you.
1054
1055   Data Resampling
1056       One important feature of RRDtool has not been explained yet: it is
1057       virtually impossible to collect data and feed it into RRDtool on exact
1058       intervals. RRDtool therefore interpolates the data, so they are stored
1059       on exact intervals. If you do not know what this means or how it works,
1060       then here's the help you seek:
1061
1062       Suppose a counter increases by exactly one for every second. You want
1063       to measure it in 300 seconds intervals. You should retrieve values that
1064       are exactly 300 apart. However, due to various circumstances you are a
1065       few seconds late and the interval is 303. The delta will also be 303 in
1066       that case. Obviously, RRDtool should not put 303 in the database and
1067       make you believe that the counter increased by 303 in 300 seconds.
1068       This is where RRDtool interpolates: it alters the 303 value as if it
1069       would have been stored earlier and it will be 300 in 300 seconds.  Next
1070       time you are at exactly the right time. This means that the current
1071       interval is 297 seconds and also the counter increased by 297. Again,
1072       RRDtool interpolates and stores 300 as it should be.
1073
1074             in the RRD                 in reality
1075
1076        time+000:   0 delta="U"   time+000:    0 delta="U"
1077        time+300: 300 delta=300   time+300:  300 delta=300
1078        time+600: 600 delta=300   time+603:  603 delta=303
1079        time+900: 900 delta=300   time+900:  900 delta=297
1080
1081       Let's create two identical databases. I've chosen the time range
1082       920805000 to 920805900 as this goes very well with the example numbers.
1083
1084          rrdtool create seconds1.rrd   \
1085             --start 920804700          \
1086             DS:seconds:COUNTER:600:U:U \
1087             RRA:AVERAGE:0.5:1:24
1088
1089       Make a copy
1090
1091          for Unix: cp seconds1.rrd seconds2.rrd
1092          for Dos:  copy seconds1.rrd seconds2.rrd
1093          for vms:  how would I know :)
1094
1095       Put in some data
1096
1097          rrdtool update seconds1.rrd \
1098             920805000:000 920805300:300 920805600:600 920805900:900
1099          rrdtool update seconds2.rrd \
1100             920805000:000 920805300:300 920805603:603 920805900:900
1101
1102       Create output
1103
1104          rrdtool graph seconds1.png                       \
1105             --start 920804700 --end 920806200             \
1106             --height 200                                  \
1107             --upper-limit 1.05 --lower-limit 0.95 --rigid \
1108             DEF:seconds=seconds1.rrd:seconds:AVERAGE      \
1109             CDEF:unknown=seconds,UN                       \
1110             LINE2:seconds#0000FF                          \
1111             AREA:unknown#FF0000
1112          rrdtool graph seconds2.png                       \
1113             --start 920804700 --end 920806200             \
1114             --height 200                                  \
1115             --upper-limit 1.05 --lower-limit 0.95 --rigid \
1116             DEF:seconds=seconds2.rrd:seconds:AVERAGE      \
1117             CDEF:unknown=seconds,UN                       \
1118             LINE2:seconds#0000FF                          \
1119             AREA:unknown#FF0000
1120
1121       View both images together (add them to your index.html file) and
1122       compare. Both graphs should show the same, despite the input being
1123       different.
1124

WRAPUP

1126       It's time now to wrap up this tutorial. We covered all the basics for
1127       you to be able to work with RRDtool and to read the additional
1128       documentation available. There is plenty more to discover about RRDtool
1129       and you will find more and more uses for this package. You can easily
1130       create graphs using just the examples provided and using only RRDtool.
1131       You can also use one of the front ends to RRDtool that are available.
1132

MAILINGLIST

1134       Remember to subscribe to the RRDtool mailing list. Even if you are not
1135       answering to mails that come by, it helps both you and the rest of the
1136       users. A lot of the stuff that I know about MRTG (and therefore about
1137       RRDtool) I've learned while just reading the list without posting to
1138       it. I did not need to ask the basic questions as they are answered in
1139       the FAQ (read it!) and in various mails by other users. With thousands
1140       of users all over the world, there will always be people who ask
1141       questions that you can answer because you read this and other
1142       documentation and they didn't.
1143

SEE ALSO

1145       The RRDtool manpages
1146

AUTHOR

1148       I hope you enjoyed the examples and their descriptions. If you do, help
1149       other people by pointing them to this document when they are asking
1150       basic questions. They will not only get their answers, but at the same
1151       time learn a whole lot more.
1152
1153       Alex van den Bogaerdt <alex@vandenbogaerdt.nl>
1154
1155
1156
11571.4.4                             2009-10-15                    RRDTUTORIAL(1)
Impressum