Gathering Instance Network Traffic with OpenStack Gnocchi

Monitoring network traffic is crucial for managing the performance and security of virtual instances in cloud environments.

OpenStack, a popular open-source cloud computing platform, offers various services to track and analyze metrics, including Gnocchi, a time-series database designed to handle large volumes of monitoring data. This article provides a step-by-step guide on how to retrieve network traffic metrics for a specific instance using Gnocchi.


Before proceeding, ensure you have:

  • An operational OpenStack environment with Gnocchi service installed.
  • The necessary permissions to access and manipulate metrics within Gnocchi.
  • The OpenStack command-line client installed and configured on your system.

Step 1: Understanding Gnocchi Metrics

Gnocchi abstracts out metrics from different OpenStack services. For network metrics, it typically collects network.incoming.bytes and network.outgoing.bytes, representing the incoming and outgoing traffic, respectively. These metrics are stored against resource IDs, which correspond to specific instances.

Step 2: Identifying the Metric ID

To retrieve network traffic data for an instance, you first need the metric ID for network.incoming.bytes. You can find this by listing all metrics associated with the instance:

openstack metric list --resource-id <your_instance_id>

Look for network.incoming.bytes in the output and note down the corresponding ID.

Step 3: Gathering Network Traffic Data

With the metric ID, you can now use the Gnocchi aggregate command to gather network traffic data. Here’s a breakdown of the command:

gnocchi aggregate --start "2023-10-04T06:05:00+00:00" --groupby id --granularity 300 "(resample mean 1h (/(aggregate rate:mean (metric network.incoming.bytes mean)) 1048576))" id=<metric_id>
  • --start: The start time for the data retrieval in ISO 8601 format.
  • --groupby id: Groups the results by the metric ID.
  • --granularity: Sets the granularity of the data points (in seconds).
  • The complex expression within quotes calculates the mean incoming network traffic per hour, converting bytes to megabytes.

Replace <metric_id> with the actual metric ID obtained in the previous step.

Step 4: Analyzing the Output

Executing the command will provide you with the network traffic data, aggregated and resampled as specified. Analyze this data to understand the network usage pattern of your instance.

| group                                    | name       | timestamp                 | granularity |              value |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-06T23:00:00+00:00 |      3600.0 |  47.68278662363688 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T00:00:00+00:00 |      3600.0 |  25.15988931655884 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T01:00:00+00:00 |      3600.0 | 20.373515129089355 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T02:00:00+00:00 |      3600.0 |  7.430292208989461 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T03:00:00+00:00 |      3600.0 | 15.023133701748318 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T04:00:00+00:00 |      3600.0 |   25.9063474867079 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T05:00:00+00:00 |      3600.0 | 11.585014820098877 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T06:00:00+00:00 |      3600.0 |  25.05031042098999 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T07:00:00+00:00 |      3600.0 | 21.723405202229817 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T08:00:00+00:00 |      3600.0 | 102.30258846282959 |
| id: f67fb264-e328-59b9-b7f9-87aded246ae6 | aggregated | 2023-10-07T09:00:00+00:00 |      3600.0 |  32.75668203830719 |

Here’s how to interpret the output:

Understanding the Columns

  • group: This is a unique identifier for the data grouping, based on the metric ID you specified.
  • name: The name given to the aggregated metric, which in this case is ‘aggregated’.
  • timestamp: The exact time at which the data point was recorded, in ISO 8601 format.
  • granularity: The time interval in seconds at which data is aggregated; here, it is 3600 seconds, which equals one hour.
  • value: The mean value of the incoming network traffic for the specified granularity, converted from bytes to megabytes.

Reading the Data

Each row represents an hour’s worth of data for the network traffic. For instance:

  • On 2023-10-06T23:00:00+00:00, the incoming network traffic was approximately 47.68 megabytes.
  • On 2023-10-07T00:00:00+00:00, it dropped to about 25.16 megabytes.

Spotting Patterns and Anomalies

By examining the hourly data, you can identify usage patterns and potential anomalies. For example, a significant increase to 102.30 megabytes at 2023-10-07T08:00:00+00:00 might indicate an unusual surge in network activity that could warrant further investigation.

Making Data-Driven Decisions

This data can inform decisions regarding capacity planning, performance optimization, and security monitoring. For instance, consistent high traffic could mean it’s time to scale resources up, while sudden spikes might suggest a security breach or a misconfiguration.


Gathering instance network traffic data in OpenStack using Gnocchi involves identifying the correct metric ID and using the aggregate command to retrieve and process the data. Regularly monitoring this metric can help in capacity planning, performance tuning, and security surveillance of your instances.