1RRDTUTORIAL(1) rrdtool RRDTUTORIAL(1)
2
6 rrdtutorial - Alex van den Bogaerdt's RRDtool tutorial
7
9 RRDtool is written by Tobias Oetiker <tobi@oetiker.ch> with
10 contributions from many people all around the world. This document is
11 written by Alex van den Bogaerdt <alex@vandenbogaerdt.nl> to help you
12 understand what RRDtool is and what it can do for you.
13 The documentation provided with RRDtool can be too technical for some
15 people. This tutorial is here to help you understand the basics of
16 RRDtool. It should prepare you to read the documentation yourself. It
17 also explains the general things about statistics with a focus on
18 networking.
19
21 Important
22 Please don't skip ahead in this document! The first part of this
23 document explains the basics and may be boring. But if you don't
24 understand the basics, the examples will not be as meaningful to you.
25 Sometimes things change. This example used to provide numbers like
27 "0.04" instead of "4.00000e-02". Those are really the same numbers,
28 just written down differently. Don't be alarmed if a future version of
29 rrdtool displays a slightly different form of output. The examples in
30 this document are correct for version 1.2.0 of RRDtool.
31 Also, sometimes bugs do occur. They may also influence the outcome of
33 the examples. Example speed4.png was suffering from this (the handling
34 of unknown data in an if-statement was wrong). Normal data will be just
35 fine (a bug in rrdtool wouldn't last long) but special cases like NaN,
36 INF and so on may last a bit longer. Try another version if you can,
37 or just live with it.
38 I fixed the speed4.png example (and added a note). There may be other
40 examples which suffer from the same or a similar bug. Try to fix it
41 yourself, which is a great exercise. But please do not submit your
42 result as a fix to the source of this document. Discuss it on the
43 user's list, or write to me.
44 What is RRDtool?
46 RRDtool refers to Round Robin Database tool. Round robin is a
47 technique that works with a fixed amount of data, and a pointer to the
48 current element. Think of a circle with some dots plotted on the edge.
49 These dots are the places where data can be stored. Draw an arrow from
50 the center of the circle to one of the dots; this is the pointer. When
51 the current data is read or written, the pointer moves to the next
52 element. As we are on a circle there is neither a beginning nor an end,
53 you can go on and on and on. After a while, all the available places
54 will be used and the process automatically reuses old locations. This
55 way, the dataset will not grow in size and therefore requires no
56 maintenance. RRDtool works with Round Robin Databases (RRDs). It
57 stores and retrieves data from them.
58 What data can be put into an RRD?
60 You name it, it will probably fit as long as it is some sort of time-
61 series data. This means you have to be able to measure some value at
62 several points in time and provide this information to RRDtool. If you
63 can do this, RRDtool will be able to store it. The values must be
64 numerical but don't have to be integers, as is the case with MRTG (the
65 next section will give more details on this more specialized
66 application).
67 Many examples below talk about SNMP which is an acronym for Simple
69 Network Management Protocol. "Simple" refers to the protocol. It does
70 not mean it is simple to manage or monitor a network. After working
71 your way through this document, you should know enough to be able to
72 understand what people are talking about. For now, just realize that
73 SNMP can be used to query devices for the values of counters they keep.
74 It is the value from those counters that we want to store in the RRD.
75 What can I do with this tool?
77 RRDtool originated from MRTG (Multi Router Traffic Grapher). MRTG
78 started as a tiny little script for graphing the use of a university's
79 connection to the Internet. MRTG was later (ab-)used as a tool for
80 graphing other data sources including temperature, speed, voltage,
81 number of printouts and the like.
82 Most likely you will start to use RRDtool to store and process data
84 collected via SNMP. The data will most likely be bytes (or bits)
85 transferred from and to a network or a computer. But it can also be
86 used to display tidal waves, solar radiation, power consumption, number
87 of visitors at an exhibition, noise levels near an airport, temperature
88 on your favorite holiday location, temperature in the fridge and
89 whatever your imagination can come up with.
90 You only need a sensor to measure the data and be able to feed the
92 numbers into RRDtool. RRDtool then lets you create a database, store
93 data in it, retrieve that data and create graphs in PNG format for
94 display on a web browser. Those PNG images are dependent on the data
95 you collected and could be, for instance, an overview of the average
96 network usage, or the peaks that occurred.
97 What if I still have problems after reading this document?
99 First of all: read it again! You may have missed something. If you are
100 unable to compile the sources and you have a fairly common OS, it will
101 probably not be the fault of RRDtool. There may be pre-compiled
102 versions around on the Internet. If they come from trusted sources, get
103 one of those.
104 If on the other hand the program works but does not give you the
106 expected results, it will be a problem with configuring it. Review your
107 configuration and compare it with the examples that follow.
108 There is a mailing list and an archive of it. Read the list for a few
110 weeks and search the archive. It is considered rude to just ask a
111 question without searching the archives: your problem may already have
112 been solved for somebody else! This is true for most, if not all,
113 mailing lists and not only for this particular one. Look in the
114 documentation that came with RRDtool for the location and usage of the
115 list.
116 I suggest you take a moment to subscribe to the mailing list right now
118 by sending an email to <rrd-users-request@lists.oetiker.ch> with a
119 subject of "subscribe". If you ever want to leave this list, just write
120 an email to the same address but now with a subject of "unsubscribe".
121 How will you help me?
123 By giving you some detailed descriptions with detailed examples. I
124 assume that following the instructions in the order presented will give
125 you enough knowledge of RRDtool to experiment for yourself. If it
126 doesn't work the first time, don't give up. Reread the stuff that you
127 did understand, you may have missed something.
128 By following the examples you get some hands-on experience and, even
130 more important, some background information of how it works.
131 You will need to know something about hexadecimal numbers. If you
133 don't, start with reading bin_dec_hex before you continue here.
134 Your first Round Robin Database
136 In my opinion the best way to learn something is to actually do it.
137 Why not start right now? We will create a database, put some values in
138 it and extract this data again. Your output should be the same as the
139 output that is included in this document.
140 We will start with some easy stuff and compare a car with a router, or
142 compare kilometers (miles if you wish) with bits and bytes. It's all
143 the same: some number over some time.
144 Assume we have a device that transfers bytes to and from the Internet.
146 This device keeps a counter that starts at zero when it is turned on,
147 increasing with every byte that is transferred. This counter will
148 probably have a maximum value. If this value is reached and an extra
149 byte is counted, the counter starts over at zero. This is the same as
150 many counters in the world such as the mileage counter in a car.
151 Most discussions about networking talk about bits per second so let's
153 get used to that right away. Assume a byte is eight bits and start to
154 think in bits not bytes. The counter, however, still counts bytes! In
155 the SNMP world most of the counters are 32 bits. That means they are
156 counting from 0 to 4294967295. We will use these values in the
157 examples. The device, when asked, returns the current value of the
158 counter. We know the time that has passes since we last asked so we now
159 know how many bytes have been transferred ***on average*** per second.
160 This is not very hard to calculate. First in words, then in
161 calculations:
162 1. Take the current counter, subtract the previous value from it.
164 2. Do the same with the current time and the previous time (in
166 seconds).
167 3. Divide the outcome of (1) by the outcome of (2), the result is the
169 amount of bytes per second. Multiply by eight to get the number of
170 bits per second (bps).
171 bps = (counter_now - counter_before) / (time_now - time_before) * 8
173 For some people it may help to translate this to an automobile example.
175 Do not try this example, and if you do, don't blame me for the results!
176 People who are not used to think in kilometers per hour can translate
178 most into miles per hour by dividing km by 1.6 (close enough). I will
179 use the following abbreviations:
180 m: meter
182 km: kilometer (= 1000 meters).
183 h: hour
184 s: second
185 km/h: kilometers per hour
186 m/s: meters per second
187 You are driving a car. At 12:05 you read the counter in the dashboard
189 and it tells you that the car has moved 12345 km until that moment. At
190 12:10 you look again, it reads 12357 km. This means you have traveled
191 12 km in five minutes. A scientist would translate that into meters per
192 second and this makes a nice comparison toward the problem of (bytes
193 per five minutes) versus (bits per second).
194 We traveled 12 kilometers which is 12000 meters. We did that in five
196 minutes or 300 seconds. Our speed is 12000m / 300s or 40 m/s.
197 We could also calculate the speed in km/h: 12 times 5 minutes is an
199 hour, so we have to multiply 12 km by 12 to get 144 km/h. For our
200 native English speaking friends: that's 90 mph so don't try this
201 example at home or where I live :)
202 Remember: these numbers are averages only. There is no way to figure
204 out from the numbers, if you drove at a constant speed. There is an
205 example later on in this tutorial that explains this.
206 I hope you understand that there is no difference in calculating m/s or
208 bps; only the way we collect the data is different. Even the k from
209 kilo is the same as in networking terms k also means 1000.
210 We will now create a database where we can keep all these interesting
212 numbers. The method used to start the program may differ slightly from
213 OS to OS, but I assume you can figure it out if it works different on
214 yours. Make sure you do not overwrite any file on your system when
215 executing the following command and type the whole line as one long
216 line (I had to split it for readability) and skip all of the '\'
217 characters.
218 rrdtool create test.rrd \
220 --start 920804400 \
221 DS:speed:COUNTER:600:U:U \
222 RRA:AVERAGE:0.5:1:24 \
223 RRA:AVERAGE:0.5:6:10
224 (So enter: "rrdtool create test.rrd --start 920804400 DS ...")
226 What has been created?
228 We created the round robin database called test (test.rrd) which starts
229 at noon the day I started writing this document, 7th of March, 1999
230 (this date translates to 920804400 seconds as explained below). Our
231 database holds one data source (DS) named "speed" that represents a
232 counter. This counter is read every five minutes (this is the default
233 therefore you don't have to put "--step=300"). In the same database
234 two round robin archives (RRAs) are kept, one averages the data every
235 time it is read (i.e., there's nothing to average) and keeps 24 samples
236 (24 times 5 minutes is 2 hours). The other averages 6 values (half
237 hour) and contains 10 such averages (e.g. 5 hours).
238 RRDtool works with special time stamps coming from the UNIX world.
240 This time stamp is the number of seconds that passed since January 1st
241 1970 UTC. The time stamp value is translated into local time and it
242 will therefore look different for different time zones.
243 Chances are that you are not in the same part of the world as I am.
245 This means your time zone is different. In all examples where I talk
246 about time, the hours may be wrong for you. This has little effect on
247 the results of the examples, just correct the hours while reading. As
248 an example: where I will see "12:05" the UK folks will see "11:05".
249 We now have to fill our database with some numbers. We'll pretend to
251 have read the following numbers:
252 12:05 12345 km
254 12:10 12357 km
255 12:15 12363 km
256 12:20 12363 km
257 12:25 12363 km
258 12:30 12373 km
259 12:35 12383 km
260 12:40 12393 km
261 12:45 12399 km
262 12:50 12405 km
263 12:55 12411 km
264 13:00 12415 km
265 13:05 12420 km
266 13:10 12422 km
267 13:15 12423 km
268 We fill the database as follows:
270 rrdtool update test.rrd 920804700:12345 920805000:12357 920805300:12363
272 rrdtool update test.rrd 920805600:12363 920805900:12363 920806200:12373
273 rrdtool update test.rrd 920806500:12383 920806800:12393 920807100:12399
274 rrdtool update test.rrd 920807400:12405 920807700:12411 920808000:12415
275 rrdtool update test.rrd 920808300:12420 920808600:12422 920808900:12423
276 This reads: update our test database with the following numbers
278 time 920804700, value 12345
280 time 920805000, value 12357
281 etcetera.
283 As you can see, it is possible to feed more than one value into the
285 database in one command. I had to stop at three for readability but the
286 real maximum per line is OS dependent.
287 We can now retrieve the data from our database using "rrdtool fetch":
289 rrdtool fetch test.rrd AVERAGE --start 920804400 --end 920809200
291 It should return the following output:
293 speed
295 920804700: nan
297 920805000: 4.0000000000e-02
298 920805300: 2.0000000000e-02
299 920805600: 0.0000000000e+00
300 920805900: 0.0000000000e+00
301 920806200: 3.3333333333e-02
302 920806500: 3.3333333333e-02
303 920806800: 3.3333333333e-02
304 920807100: 2.0000000000e-02
305 920807400: 2.0000000000e-02
306 920807700: 2.0000000000e-02
307 920808000: 1.3333333333e-02
308 920808300: 1.6666666667e-02
309 920808600: 6.6666666667e-03
310 920808900: 3.3333333333e-03
311 920809200: nan
312 920809500: nan
313 Note that you might get more rows than you expect. The reason for this
315 is that you ask for a time range that ends on 920809200. The number
316 that is written behind 920809200: in the list above covers the time
317 range from 920808900 to 920809200, EXCLUDING 920809200. Hence to be on
318 the sure side, you receive the entry from 920809200 to 920809500 as
319 well since it INCLUDES 920809200. You may also see "NaN" instead of
320 "nan" this is OS dependent. "NaN" stands for "Not A Number". If your
321 OS writes "U" or "UNKN" or something similar that's okay. If something
322 else is wrong, it will probably be due to an error you made (assuming
323 that my tutorial is correct of course :-). In that case: delete the
324 database and try again.
325 The meaning of the above output will become clear below.
327 Time to create some graphics
329 Try the following command:
330 rrdtool graph speed.png \
332 --start 920804400 --end 920808000 \
333 DEF:myspeed=test.rrd:speed:AVERAGE \
334 LINE2:myspeed#FF0000
335 This will create speed.png which starts at 12:00 and ends at 13:00.
337 There is a definition of a variable called myspeed, using the data from
338 RRA "speed" out of database "test.rrd". The line drawn is 2 pixels high
339 and represents the variable myspeed. The color is red (specified by its
340 rgb-representation, see below).
341 You'll notice that the start of the graph is not at 12:00 but at 12:05.
343 This is because we have insufficient data to tell the average before
344 that time. This will only happen when you miss some samples, this will
345 not happen a lot, hopefully.
346 If this has worked: congratulations! If not, check what went wrong.
348 The colors are built up from red, green and blue. For each of the
350 components, you specify how much to use in hexadecimal where 00 means
351 not included and FF means fully included. The "color" white is a
352 mixture of red, green and blue: FFFFFF The "color" black is all colors
353 off: 000000
354 red #FF0000
356 green #00FF00
357 blue #0000FF
358 magenta #FF00FF (mixed red with blue)
359 gray #555555 (one third of all components)
360 Additionally you can (with a recent RRDtool) add an alpha channel
362 (transparency). The default will be "FF" which means non-transparent.
363 The PNG you just created can be displayed using your favorite image
365 viewer. Web browsers will display the PNG via the URL
366 "file:///the/path/to/speed.png"
367 Graphics with some math
369 When looking at the image, you notice that the horizontal axis is
370 labeled 12:10, 12:20, 12:30, 12:40 and 12:50. Sometimes a label doesn't
371 fit (12:00 and 13:00 would be likely candidates) so they are skipped.
372 The vertical axis displays the range we entered. We provided kilometers
374 and when divided by 300 seconds, we get very small numbers. To be
375 exact, the first value was 12 (12357-12345) and divided by 300 this
376 makes 0.04, which is displayed by RRDtool as "40 m" meaning "40/1000".
377 The "m" (milli) has nothing to do with meters (also m), kilometers or
378 millimeters! RRDtool doesn't know about the physical units of our data,
379 it just works with dimensionless numbers.
380 If we had measured our distances in meters, this would have been
382 (12357000-12345000)/300 = 12000/300 = 40.
383 As most people have a better feel for numbers in this range, we'll
385 correct that. We could recreate our database and store the correct
386 data, but there is a better way: we do some calculations while creating
387 the png file!
388 rrdtool graph speed2.png \
390 --start 920804400 --end 920808000 \
391 --vertical-label m/s \
392 DEF:myspeed=test.rrd:speed:AVERAGE \
393 CDEF:realspeed=myspeed,1000,\* \
394 LINE2:realspeed#FF0000
395 Note: I need to escape the multiplication operator * with a backslash.
397 If I don't, the operating system may interpret it and use it for file
398 name expansion. You could also place the line within quotation marks
399 like so:
400 "CDEF:realspeed=myspeed,1000,*" \
402 It boils down to: it is RRDtool which should see *, not your shell.
404 And it is your shell interpreting \, not RRDtool. You may need to
405 adjust examples accordingly if you happen to use an operating system or
406 shell which behaves differently.
407 After viewing this PNG, you notice the "m" (milli) has disappeared.
409 This is what the correct result would be. Also, a label has been added
410 to the image. Apart from the things mentioned above, the PNG should
411 look the same.
412 The calculations are specified in the CDEF part above and are in
414 Reverse Polish Notation ("RPN"). What we requested RRDtool to do is:
415 "take the data source myspeed and the number 1000; multiply those".
416 Don't bother with RPN yet, it will be explained later on in more
417 detail. Also, you may want to read my tutorial on CDEFs and Steve
418 Rader's tutorial on RPN. But first finish this tutorial.
419 Hang on! If we can multiply values with 1000, it should also be
421 possible to display kilometers per hour from the same data!
422 To change a value that is measured in meters per second:
424 Calculate meters per hour: value * 3600
426 Calculate kilometers per hour: value / 1000
427 Together this makes: value * (3600/1000) or value * 3.6
428 In our example database we made a mistake and we need to compensate for
430 this by multiplying with 1000. Applying that correction:
431 value * 3.6 * 1000 == value * 3600
433 Now let's create this PNG, and add some more magic ...
435 rrdtool graph speed3.png \
437 --start 920804400 --end 920808000 \
438 --vertical-label km/h \
439 DEF:myspeed=test.rrd:speed:AVERAGE \
440 "CDEF:kmh=myspeed,3600,*" \
441 CDEF:fast=kmh,100,GT,kmh,0,IF \
442 CDEF:good=kmh,100,GT,0,kmh,IF \
443 HRULE:100#0000FF:"Maximum allowed" \
444 AREA:good#00FF00:"Good speed" \
445 AREA:fast#FF0000:"Too fast"
446 Note: here we use another means to escape the * operator by enclosing
448 the whole string in double quotes.
449 This graph looks much better. Speed is shown in km/h and there is even
451 an extra line with the maximum allowed speed (on the road I travel on).
452 I also changed the colors used to display speed and changed it from a
453 line into an area.
454 The calculations are more complex now. For speed measurements within
456 the speed limit they are:
457 Check if kmh is greater than 100 ( kmh,100 ) GT
459 If so, return 0, else kmh ((( kmh,100 ) GT ), 0, kmh) IF
460 For values above the speed limit:
462 Check if kmh is greater than 100 ( kmh,100 ) GT
464 If so, return kmh, else return 0 ((( kmh,100) GT ), kmh, 0) IF
465 Graphics Magic
467 I like to believe there are virtually no limits to how RRDtool graph
468 can manipulate data. I will not explain how it works, but look at the
469 following PNG:
470 rrdtool graph speed4.png \
472 --start 920804400 --end 920808000 \
473 --vertical-label km/h \
474 DEF:myspeed=test.rrd:speed:AVERAGE \
475 CDEF:nonans=myspeed,UN,0,myspeed,IF \
476 CDEF:kmh=nonans,3600,* \
477 CDEF:fast=kmh,100,GT,100,0,IF \
478 CDEF:over=kmh,100,GT,kmh,100,-,0,IF \
479 CDEF:good=kmh,100,GT,0,kmh,IF \
480 HRULE:100#0000FF:"Maximum allowed" \
481 AREA:good#00FF00:"Good speed" \
482 AREA:fast#550000:"Too fast" \
483 STACK:over#FF0000:"Over speed"
484 Remember the note in the beginning? I had to remove unknown data from
486 this example. The 'nonans' CDEF is new, and the 6th line (which used to
487 be the 5th line) used to read 'CDEF:kmh=myspeed,3600,*'
488 Let's create a quick and dirty HTML page to view the three PNGs:
490 <HTML><HEAD><TITLE>Speed</TITLE></HEAD><BODY>
492 <IMG src="speed2.png" alt="Speed in meters per second">
493 <BR>
494 <IMG src="speed3.png" alt="Speed in kilometers per hour">
495 <BR>
496 <IMG src="speed4.png" alt="Traveled too fast?">
497 </BODY></HTML>
498 Name the file "speed.html" or similar, and look at it in your web
500 browser.
501 Now, all you have to do is measure the values regularly and update the
503 database. When you want to view the data, recreate the PNGs and make
504 sure to refresh them in your browser. (Note: just clicking reload may
505 not be enough, especially when proxies are involved. Try shift-reload
506 or ctrl-F5).
507 Updates in Reality
509 We've already used the "update" command: it took one or more parameters
510 in the form of "<time>:<value>". You'll be glad to know that you can
511 specify the current time by filling in a "N" as the time. Or you could
512 use the "time" function in Perl (the shortest example in this
513 tutorial):
514 perl -e 'print time, "\n" '
516 How to run a program on regular intervals is OS specific. But here is
518 an example in pseudo code:
519 - Get the value and put it in variable "$speed"
521 - rrdtool update speed.rrd N:$speed
522 (do not try this with our test database, we'll use it in further
524 examples)
525 This is all. Run the above script every five minutes. When you need to
527 know what the graphs look like, run the examples above. You could put
528 them in a script as well. After running that script, view the page
529 speed.html we created above.
530 Some words on SNMP
532 I can imagine very few people that will be able to get real data from
533 their car every five minutes. All other people will have to settle for
534 some other kind of counter. You could measure the number of pages
535 printed by a printer, for example, the cups of coffee made by the
536 coffee machine, a device that counts the electricity used, whatever.
537 Any incrementing counter can be monitored and graphed using the stuff
538 you learned so far. Later on we will also be able to monitor other
539 types of values like temperature.
540 Many people interested in RRDtool will use the counter that keeps track
542 of octets (bytes) transferred by a network device. So let's do just
543 that next. We will start with a description of how to collect data.
544 Some people will make a remark that there are tools which can do this
546 data collection for you. They are right! However, I feel it is
547 important that you understand they are not necessary. When you have to
548 determine why things went wrong you need to know how they work.
549 One tool used in the example has been talked about very briefly in the
551 beginning of this document, it is called SNMP. It is a way of talking
552 to networked equipment. The tool I use below is called "snmpget" and
553 this is how it works:
554 snmpget device password OID
556 or
558 snmpget -v[version] -c[password] device OID
560 For device you substitute the name, or the IP address, of your device.
562 For password you use the "community read string" as it is called in the
563 SNMP world. For some devices the default of "public" might work,
564 however this can be disabled, altered or protected for privacy and
565 security reasons. Read the documentation that comes with your device
566 or program.
567 Then there is this parameter, called OID, which means "object
569 identifier".
570 When you start to learn about SNMP it looks very confusing. It isn't
572 all that difficult when you look at the Management Information Base
573 ("MIB"). It is an upside-down tree that describes data, with a single
574 node as the root and from there a number of branches. These branches
575 end up in another node, they branch out, etc. All the branches have a
576 name and they form the path that we follow all the way down. The
577 branches that we follow are named: iso, org, dod, internet, mgmt and
578 mib-2. These names can also be written down as numbers and are 1 3 6 1
579 2 1.
580 iso.org.dod.internet.mgmt.mib-2 (1.3.6.1.2.1)
582 There is a lot of confusion about the leading dot that some programs
584 use. There is *no* leading dot in an OID. However, some programs can
585 use the above part of OIDs as a default. To indicate the difference
586 between abbreviated OIDs and full OIDs they need a leading dot when you
587 specify the complete OID. Often those programs will leave out the
588 default portion when returning the data to you. To make things worse,
589 they have several default prefixes ...
590 Ok, lets continue to the start of our OID: we had 1.3.6.1.2.1 From
592 there, we are especially interested in the branch "interfaces" which
593 has number 2 (e.g., 1.3.6.1.2.1.2 or 1.3.6.1.2.1.interfaces).
594 First, we have to get some SNMP program. First look if there is a pre-
596 compiled package available for your OS. This is the preferred way. If
597 not, you will have to get the sources yourself and compile those. The
598 Internet is full of sources, programs etc. Find information using a
599 search engine or whatever you prefer.
600 Assume you got the program. First try to collect some data that is
602 available on most systems. Remember: there is a short name for the part
603 of the tree that interests us most in the world we live in!
604 I will give an example which can be used on Fedora Core 3. If it
606 doesn't work for you, work your way through the manual of snmp and
607 adapt the example to make it work.
608 snmpget -v2c -c public myrouter system.sysDescr.0
610 The device should answer with a description of itself, perhaps an empty
612 one. Until you got a valid answer from a device, perhaps using a
613 different "password", or a different device, there is no point in
614 continuing.
615 snmpget -v2c -c public myrouter interfaces.ifNumber.0
617 Hopefully you get a number as a result, the number of interfaces. If
619 so, you can carry on and try a different program called "snmpwalk".
620 snmpwalk -v2c -c public myrouter interfaces.ifTable.ifEntry.ifDescr
622 If it returns with a list of interfaces, you're almost there. Here's
624 an example:
625 [user@host /home/alex]$ snmpwalk -v2c -c public cisco 2.2.1.2
626 interfaces.ifTable.ifEntry.ifDescr.1 = "BRI0: B-Channel 1"
628 interfaces.ifTable.ifEntry.ifDescr.2 = "BRI0: B-Channel 2"
629 interfaces.ifTable.ifEntry.ifDescr.3 = "BRI0" Hex: 42 52 49 30
630 interfaces.ifTable.ifEntry.ifDescr.4 = "Ethernet0"
631 interfaces.ifTable.ifEntry.ifDescr.5 = "Loopback0"
632 On this cisco equipment, I would like to monitor the "Ethernet0"
634 interface and from the above output I see that it is number four. I
635 try:
636 [user@host /home/alex]$ snmpget -v2c -c public cisco 2.2.1.10.4 2.2.1.16.4
638 interfaces.ifTable.ifEntry.ifInOctets.4 = 2290729126
640 interfaces.ifTable.ifEntry.ifOutOctets.4 = 1256486519
641 So now I have two OIDs to monitor and they are (in full, this time):
643 1.3.6.1.2.1.2.2.1.10
645 and
647 1.3.6.1.2.1.2.2.1.16
649 both with an interface number of 4.
651 Don't get fooled, this wasn't my first try. It took some time for me
653 too to understand what all these numbers mean. It does help a lot when
654 they get translated into descriptive text... At least, when people are
655 talking about MIBs and OIDs you know what it's all about. Do not
656 forget the interface number (0 if it is not interface dependent) and
657 try snmpwalk if you don't get an answer from snmpget.
658 If you understand the above section and get numbers from your device,
660 continue on with this tutorial. If not, then go back and re-read this
661 part.
662 A Real World Example
664 Let the fun begin. First, create a new database. It contains data from
665 two counters, called input and output. The data is put into archives
666 that average it. They take 1, 6, 24 or 288 samples at a time. They
667 also go into archives that keep the maximum numbers. This will be
668 explained later on. The time in-between samples is 300 seconds, a good
669 starting point, which is the same as five minutes.
670 1 sample "averaged" stays 1 period of 5 minutes
672 6 samples averaged become one average on 30 minutes
673 24 samples averaged become one average on 2 hours
674 288 samples averaged become one average on 1 day
675 Lets try to be compatible with MRTG which stores about the following
677 amount of data:
678 600 5-minute samples: 2 days and 2 hours
680 600 30-minute samples: 12.5 days
681 600 2-hour samples: 50 days
682 732 1-day samples: 732 days
683 These ranges are appended, so the total amount of data stored in the
685 database is approximately 797 days. RRDtool stores the data
686 differently, it doesn't start the "weekly" archive where the "daily"
687 archive stopped. For both archives the most recent data will be near
688 "now" and therefore we will need to keep more data than MRTG does!
689 We will need:
691 600 samples of 5 minutes (2 days and 2 hours)
693 700 samples of 30 minutes (2 days and 2 hours, plus 12.5 days)
694 775 samples of 2 hours (above + 50 days)
695 797 samples of 1 day (above + 732 days, rounded up to 797)
696 rrdtool create myrouter.rrd \
698 DS:input:COUNTER:600:U:U \
699 DS:output:COUNTER:600:U:U \
700 RRA:AVERAGE:0.5:1:600 \
701 RRA:AVERAGE:0.5:6:700 \
702 RRA:AVERAGE:0.5:24:775 \
703 RRA:AVERAGE:0.5:288:797 \
704 RRA:MAX:0.5:1:600 \
705 RRA:MAX:0.5:6:700 \
706 RRA:MAX:0.5:24:775 \
707 RRA:MAX:0.5:288:797
708 Next thing to do is to collect data and store it. Here is an example.
710 It is written partially in pseudo code, you will have to find out what
711 to do exactly on your OS to make it work.
712 while not the end of the universe
714 do
715 get result of
716 snmpget router community 2.2.1.10.4
717 into variable $in
718 get result of
719 snmpget router community 2.2.1.16.4
720 into variable $out
721 rrdtool update myrouter.rrd N:$in:$out
723 wait for 5 minutes
725 done
726 Then, after collecting data for a day, try to create an image using:
728 rrdtool graph myrouter-day.png --start -86400 \
730 DEF:inoctets=myrouter.rrd:input:AVERAGE \
731 DEF:outoctets=myrouter.rrd:output:AVERAGE \
732 AREA:inoctets#00FF00:"In traffic" \
733 LINE1:outoctets#0000FF:"Out traffic"
734 This should produce a picture with one day worth of traffic. One day
736 is 24 hours of 60 minutes of 60 seconds: 24*60*60=86400, we start at
737 now minus 86400 seconds. We define (with DEFs) inoctets and outoctets
738 as the average values from the database myrouter.rrd and draw an area
739 for the "in" traffic and a line for the "out" traffic.
740 View the image and keep logging data for a few more days. If you like,
742 you could try the examples from the test database and see if you can
743 get various options and calculations to work.
744 Suggestion: Display in bytes per second and in bits per second. Make
746 the Ethernet graphics go red if they are over four megabits per second.
747 Consolidation Functions
749 A few paragraphs back I mentioned the possibility of keeping the
750 maximum values instead of the average values. Let's go into this a bit
751 more.
752 Recall all the stuff about the speed of the car. Suppose we drove at
754 144 km/h during 5 minutes and then were stopped by the police for 25
755 minutes. At the end of the lecture we would take our laptop and create
756 and view the image taken from the database. If we look at the second
757 RRA we did create, we would have the average from 6 samples. The
758 samples measured would be 144+0+0+0+0+0=144, divided by 30 minutes,
759 corrected for the error by 1000, translated into km/h, with a result of
760 24 km/h. I would still get a ticket but not for speeding anymore :)
761 Obviously, in this case we shouldn't look at the averages. In some
763 cases they are handy. If you want to know how many km you had traveled,
764 the averaged picture would be the right one to look at. On the other
765 hand, for the speed that we traveled at, the maximum numbers seen is
766 much more interesting. Later we will see more types.
767 It is the same for data. If you want to know the amount, look at the
769 averages. If you want to know the rate, look at the maximum. Over
770 time, they will grow apart more and more. In the last database we have
771 created, there are two archives that keep data per day. The archive
772 that keeps averages will show low numbers, the archive that shows
773 maxima will have higher numbers.
774 For my car this would translate in averages per day of 96/24=4 km/h (as
776 I travel about 94 kilometers on a day) during working days, and maxima
777 of 120 km/h (my top speed that I reach every day).
778 Big difference. Do not look at the second graph to estimate the
780 distances that I travel and do not look at the first graph to estimate
781 my speed. This will work if the samples are close together, as they are
782 in five minutes, but not if you average.
783 On some days, I go for a long ride. If I go across Europe and travel
785 for 12 hours, the first graph will rise to about 60 km/h. The second
786 one will show 180 km/h. This means that I traveled a distance of 60
787 km/h times 24 h = 1440 km. I did this with a higher speed and a maximum
788 around 180 km/h. However, it probably doesn't mean that I traveled for
789 8 hours at a constant speed of 180 km/h!
790 This is a real example: go with the flow through Germany (fast!) and
792 stop a few times for gas and coffee. Drive slowly through Austria and
793 the Netherlands. Be careful in the mountains and villages. If you would
794 look at the graphs created from the five-minute averages you would get
795 a totally different picture. You would see the same values on the
796 average and maximum graphs (provided I measured every 300 seconds).
797 You would be able to see when I stopped, when I was in top gear, when I
798 drove over fast highways etc. The granularity of the data is much
799 higher, so you can see more. However, this takes 12 samples per hour,
800 or 288 values per day, so it would be a lot of data over a longer
801 period of time. Therefore we average it, eventually to one value per
802 day. From this one value, we cannot see much detail, of course.
803 Make sure you understand the last few paragraphs. There is no value in
805 only a line and a few axis, you need to know what they mean and
806 interpret the data in an appropriate way. This is true for all data.
807 The biggest mistake you can make is to use the collected data for
809 something that it is not suitable for. You would be better off if you
810 didn't have the graph at all.
811 Let's review what you now should know
813 You know how to create a database and can put data in it. You can get
814 the numbers out again by creating an image, do math on the data from
815 the database and view the result instead of the raw data. You know
816 about the difference between averages and maximum, and when to use
817 which (or at least you should have an idea).
818 RRDtool can do more than what we have learned up to now. Before you
820 continue with the rest of this doc, I recommend that you reread from
821 the start and try some modifications on the examples. Make sure you
822 fully understand everything. It will be worth the effort and helps you
823 not only with the rest of this tutorial, but also in your day to day
824 monitoring long after you read this introduction.
825 Data Source Types
827 All right, you feel like continuing. Welcome back and get ready for an
828 increased speed in the examples and explanations.
829 You know that in order to view a counter over time, you have to take
831 two numbers and divide the difference of them by the time lapsed. This
832 makes sense for the examples I gave you but there are other
833 possibilities. For instance, I'm able to retrieve the temperature from
834 my router in three places namely the inlet, the so called hot-spot and
835 the exhaust. These values are not counters. If I take the difference
836 of the two samples and divide that by 300 seconds I would be asking for
837 the temperature change per second. Hopefully this is zero! If not, the
838 computer room is probably on fire :)
839 So, what can we do? We can tell RRDtool to store the values we measure
841 directly as they are (this is not entirely true but close enough). The
842 graphs we make will look much better, they will show a rather constant
843 value. I know when the router is busy (it works -> it uses more
844 electricity -> it generates more heat -> the temperature rises). I know
845 when the doors are left open (the room is air conditioned) -> the warm
846 air from the rest of the building flows into the computer room -> the
847 inlet temperature rises). Etc. The data type we use when creating the
848 database before was counter, we now have a different data type and thus
849 a different name for it. It is called GAUGE. There are more such data
850 types:
851 - COUNTER we already know this one
853 - GAUGE we just learned this one
854 - DERIVE
855 - ABSOLUTE
856 The two additional types are DERIVE and ABSOLUTE. Absolute can be used
858 like counter with one difference: RRDtool assumes the counter is reset
859 when it's read. That is: its delta is known without calculation by
860 RRDtool whereas RRDtool needs to calculate it for the counter type.
861 Example: our first example (12345, 12357, 12363, 12363) would read:
862 unknown, 12, 6, 0. The rest of the calculations stay the same. The
863 other one, derive, is like counter. Unlike counter, it can also
864 decrease so it can have a negative delta. Again, the rest of the
865 calculations stay the same.
866 Let's try them all:
868 rrdtool create all.rrd --start 978300900 \
870 DS:a:COUNTER:600:U:U \
871 DS:b:GAUGE:600:U:U \
872 DS:c:DERIVE:600:U:U \
873 DS:d:ABSOLUTE:600:U:U \
874 RRA:AVERAGE:0.5:1:10
875 rrdtool update all.rrd \
876 978301200:300:1:600:300 \
877 978301500:600:3:1200:600 \
878 978301800:900:5:1800:900 \
879 978302100:1200:3:2400:1200 \
880 978302400:1500:1:2400:1500 \
881 978302700:1800:2:1800:1800 \
882 978303000:2100:4:0:2100 \
883 978303300:2400:6:600:2400 \
884 978303600:2700:4:600:2700 \
885 978303900:3000:2:1200:3000
886 rrdtool graph all1.png -s 978300600 -e 978304200 -h 400 \
887 DEF:linea=all.rrd:a:AVERAGE LINE3:linea#FF0000:"Line A" \
888 DEF:lineb=all.rrd:b:AVERAGE LINE3:lineb#00FF00:"Line B" \
889 DEF:linec=all.rrd:c:AVERAGE LINE3:linec#0000FF:"Line C" \
890 DEF:lined=all.rrd:d:AVERAGE LINE3:lined#000000:"Line D"
891 RRDtool under the Microscope
893 · Line A is a COUNTER type, so it should continuously increment and
894 RRDtool must calculate the differences. Also, RRDtool needs to divide
895 the difference by the amount of time lapsed. This should end up as a
896 straight line at 1 (the deltas are 300, the time is 300).
897 · Line B is of type GAUGE. These are "real" values so they should match
899 what we put in: a sort of a wave.
900 · Line C is of type DERIVE. It should be a counter that can decrease.
902 It does so between 2400 and 0, with 1800 in-between.
903 · Line D is of type ABSOLUTE. This is like counter but it works on
905 values without calculating the difference. The numbers are the same
906 and as you can see (hopefully) this has a different result.
907 This translates in the following values, starting at 23:10 and ending
909 at 00:10 the next day (where "u" means unknown/unplotted):
910 - Line A: u u 1 1 1 1 1 1 1 1 1 u
912 - Line B: u 1 3 5 3 1 2 4 6 4 2 u
913 - Line C: u u 2 2 2 0 -2 -6 2 0 2 u
914 - Line D: u 1 2 3 4 5 6 7 8 9 10 u
915 If your PNG shows all this, you know you have entered the data
917 correctly, the RRDtool executable is working properly, your viewer
918 doesn't fool you, and you successfully entered the year 2000 :)
919 You could try the same example four times, each time with only one of
921 the lines.
922 Let's go over the data again:
924 · Line A: 300,600,900 and so on. The counter delta is a constant 300
926 and so is the time delta. A number divided by itself is always 1
927 (except when dividing by zero which is undefined/illegal).
928 Why is it that the first point is unknown? We do know what we put
930 into the database, right? True, But we didn't have a value to
931 calculate the delta from, so we don't know where we started. It would
932 be wrong to assume we started at zero so we don't!
933 · Line B: There is nothing to calculate. The numbers are as they are.
935 · Line C: Again, the start-out value is unknown. This is the same story
937 as for line A. In this case the deltas are not constant, therefore
938 the line is not either. If we would put the same numbers in the
939 database as we did for line A, we would have gotten the same line.
940 Unlike type counter, this type can decrease and I hope to show you
941 later on why this makes a difference.
942 · Line D: Here the device calculates the deltas. Therefore we DO know
944 the first delta and it is plotted. We had the same input as with line
945 A, but the meaning of this input is different and thus the line is
946 different. In this case the deltas increase each time with 300. The
947 time delta stays at a constant 300 and therefore the division of the
948 two gives increasing values.
949 Counter Wraps
951 There are a few more basics to show. Some important options are still
952 to be covered and we haven't look at counter wraps yet. First the
953 counter wrap: In our car we notice that the counter shows 999987. We
954 travel 20 km and the counter should go to 1000007. Unfortunately, there
955 are only six digits on our counter so it really shows 000007. If we
956 would plot that on a type DERIVE, it would mean that the counter was
957 set back 999980 km. It wasn't, and there has to be some protection for
958 this. This protection is only available for type COUNTER which should
959 be used for this kind of counter anyways. How does it work? Type
960 counter should never decrease and therefore RRDtool must assume it
961 wrapped if it does decrease! If the delta is negative, this can be
962 compensated for by adding the maximum value of the counter + 1. For our
963 car this would be:
964 Delta = 7 - 999987 = -999980 (instead of 1000007-999987=20)
966 Real delta = -999980 + 999999 + 1 = 20
968 At the time of writing this document, RRDtool knows of counters that
970 are either 32 bits or 64 bits of size. These counters can handle the
971 following different values:
972 - 32 bits: 0 .. 4294967295
974 - 64 bits: 0 .. 18446744073709551615
975 If these numbers look strange to you, you can view them in their
977 hexadecimal form:
978 - 32 bits: 0 .. FFFFFFFF
980 - 64 bits: 0 .. FFFFFFFFFFFFFFFF
981 RRDtool handles both counters the same. If an overflow occurs and the
983 delta would be negative, RRDtool first adds the maximum of a small
984 counter + 1 to the delta. If the delta is still negative, it had to be
985 the large counter that wrapped. Add the maximum possible value of the
986 large counter + 1 and subtract the erroneously added small value.
987 There is a risk in this: suppose the large counter wrapped while adding
989 a huge delta, it could happen, theoretically, that adding the smaller
990 value would make the delta positive. In this unlikely case the results
991 would not be correct. The increase should be nearly as high as the
992 maximum counter value for that to happen, so chances are you would have
993 several other problems as well and this particular problem would not
994 even be worth thinking about. Even though, I did include an example, so
995 you can judge for yourself.
996 The next section gives you some numerical examples for counter-wraps.
998 Try to do the calculations yourself or just believe me if your
999 calculator can't handle the numbers :)
1000 Correction numbers:
1002 - 32 bits: (4294967295 + 1) = 4294967296
1004 - 64 bits: (18446744073709551615 + 1)
1005 - correction1 = 18446744069414584320
1006 Before: 4294967200
1008 Increase: 100
1009 Should become: 4294967300
1010 But really is: 4
1011 Delta: -4294967196
1012 Correction1: -4294967196 + 4294967296 = 100
1013 Before: 18446744073709551000
1015 Increase: 800
1016 Should become: 18446744073709551800
1017 But really is: 184
1018 Delta: -18446744073709550816
1019 Correction1: -18446744073709550816
1020 + 4294967296 = -18446744069414583520
1021 Correction2: -18446744069414583520
1022 + 18446744069414584320 = 800
1023 Before: 18446744073709551615 ( maximum value )
1025 Increase: 18446744069414584320 ( absurd increase, minimum for
1026 Should become: 36893488143124135935 this example to work )
1027 But really is: 18446744069414584319
1028 Delta: -4294967296
1029 Correction1: -4294967296 + 4294967296 = 0
1030 (not negative -> no correction2)
1031 Before: 18446744073709551615 ( maximum value )
1033 Increase: 18446744069414584319 ( one less increase )
1034 Should become: 36893488143124135934
1035 But really is: 18446744069414584318
1036 Delta: -4294967297
1037 Correction1: -4294967297 + 4294967296 = -1
1038 Correction2: -1 + 18446744069414584320 = 18446744069414584319
1039 As you can see from the last two examples, you need strange numbers for
1041 RRDtool to fail (provided it's bug free of course), so this should not
1042 happen. However, SNMP or whatever method you choose to collect the
1043 data, might also report wrong numbers occasionally. We can't prevent
1044 all errors, but there are some things we can do. The RRDtool "create"
1045 command takes two special parameters for this. They define the minimum
1046 and maximum allowed values. Until now, we used "U", meaning "unknown".
1047 If you provide values for one or both of them and if RRDtool receives
1048 data points that are outside these limits, it will ignore those values.
1049 For a thermometer in degrees Celsius, the absolute minimum is just
1050 under -273. For my router, I can assume this minimum is much higher so
1051 I would set it to 10, where as the maximum temperature I would set to
1052 80. Any higher and the device would be out of order.
1053 For the speed of my car, I would never expect negative numbers and also
1055 I would not expect a speed higher than 230. Anything else, and there
1056 must have been an error. Remember: the opposite is not true, if the
1057 numbers pass this check, it doesn't mean that they are correct. Always
1058 judge the graph with a healthy dose of suspicion if it seems weird to
1059 you.
1060 Data Resampling
1062 One important feature of RRDtool has not been explained yet: it is
1063 virtually impossible to collect data and feed it into RRDtool on exact
1064 intervals. RRDtool therefore interpolates the data, so they are stored
1065 on exact intervals. If you do not know what this means or how it works,
1066 then here's the help you seek:
1067 Suppose a counter increases by exactly one for every second. You want
1069 to measure it in 300 seconds intervals. You should retrieve values that
1070 are exactly 300 apart. However, due to various circumstances you are a
1071 few seconds late and the interval is 303. The delta will also be 303 in
1072 that case. Obviously, RRDtool should not put 303 in the database and
1073 make you believe that the counter increased by 303 in 300 seconds.
1074 This is where RRDtool interpolates: it alters the 303 value as if it
1075 would have been stored earlier and it will be 300 in 300 seconds. Next
1076 time you are at exactly the right time. This means that the current
1077 interval is 297 seconds and also the counter increased by 297. Again,
1078 RRDtool interpolates and stores 300 as it should be.
1079 in the RRD in reality
1081 time+000: 0 delta="U" time+000: 0 delta="U"
1083 time+300: 300 delta=300 time+300: 300 delta=300
1084 time+600: 600 delta=300 time+603: 603 delta=303
1085 time+900: 900 delta=300 time+900: 900 delta=297
1086 Let's create two identical databases. I've chosen the time range
1088 920805000 to 920805900 as this goes very well with the example numbers.
1089 rrdtool create seconds1.rrd \
1091 --start 920804700 \
1092 DS:seconds:COUNTER:600:U:U \
1093 RRA:AVERAGE:0.5:1:24
1094 Make a copy
1096 for Unix: cp seconds1.rrd seconds2.rrd
1098 for Dos: copy seconds1.rrd seconds2.rrd
1099 for vms: how would I know :)
1100 Put in some data
1102 rrdtool update seconds1.rrd \
1104 920805000:000 920805300:300 920805600:600 920805900:900
1105 rrdtool update seconds2.rrd \
1106 920805000:000 920805300:300 920805603:603 920805900:900
1107 Create output
1109 rrdtool graph seconds1.png \
1111 --start 920804700 --end 920806200 \
1112 --height 200 \
1113 --upper-limit 1.05 --lower-limit 0.95 --rigid \
1114 DEF:seconds=seconds1.rrd:seconds:AVERAGE \
1115 CDEF:unknown=seconds,UN \
1116 LINE2:seconds#0000FF \
1117 AREA:unknown#FF0000
1118 rrdtool graph seconds2.png \
1119 --start 920804700 --end 920806200 \
1120 --height 200 \
1121 --upper-limit 1.05 --lower-limit 0.95 --rigid \
1122 DEF:seconds=seconds2.rrd:seconds:AVERAGE \
1123 CDEF:unknown=seconds,UN \
1124 LINE2:seconds#0000FF \
1125 AREA:unknown#FF0000
1126 View both images together (add them to your index.html file) and
1128 compare. Both graphs should show the same, despite the input being
1129 different.
1130
1132 It's time now to wrap up this tutorial. We covered all the basics for
1133 you to be able to work with RRDtool and to read the additional
1134 documentation available. There is plenty more to discover about RRDtool
1135 and you will find more and more uses for this package. You can easily
1136 create graphs using just the examples provided and using only RRDtool.
1137 You can also use one of the front ends to RRDtool that are available.
1138
1140 Remember to subscribe to the RRDtool mailing list. Even if you are not
1141 answering to mails that come by, it helps both you and the rest of the
1142 users. A lot of the stuff that I know about MRTG (and therefore about
1143 RRDtool) I've learned while just reading the list without posting to
1144 it. I did not need to ask the basic questions as they are answered in
1145 the FAQ (read it!) and in various mails by other users. With thousands
1146 of users all over the world, there will always be people who ask
1147 questions that you can answer because you read this and other
1148 documentation and they didn't.
1149
1151 The RRDtool manpages
1152
1154 I hope you enjoyed the examples and their descriptions. If you do, help
1155 other people by pointing them to this document when they are asking
1156 basic questions. They will not only get their answers, but at the same
1157 time learn a whole lot more.
1158 Alex van den Bogaerdt <alex@vandenbogaerdt.nl>
11601.7.1 2019-02-04 RRDTUTORIAL(1)