Display Top 10 Containers by Traffic Sent And Received (MB)

Display the top 10 containers by sent and received traffic in MB

This is a query example for the Top 10 Containers by Traffic Sent and Received (MB) widget in the Docker Overview dashboard of the docker/metrics package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] 2{{Aggregate}} 3>Augment Data] 4>Augment Data] 5{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result
logscale
total_bytes:=(docker.network.in.bytes+docker.network.out.bytes)
| timechart(container.name, function=max(total_bytes), limit=10)
| unit:convert(_max, from=b, to=mb)
| round(_max)
| sort(_max, order=desc)

Introduction

This widget is used to display a list of the top 10 containers ranked by their combined inbound and outbound network traffic in megabytes.

In this widget, the timeChart() function is used to create a timechart grouped by container, aggregating the maximum value of a derived total bytes field, limited to the top 10 containers.

Example incoming data might look like this:

@timestamp#repo#type@id@ingesttimestamp@rawstring@timestamp.nanos@timezone@type_datagen_identifieragent.typeagent.versioncontainer.idcontainer.image.namecontainer.namedocker.container.event.actiondocker.container.event.actor.iddocker.container.event.fromdocker.container.event.statusdocker.container.event.typedocker.diskio.read.bytesdocker.diskio.read.opsdocker.diskio.summary.bytesdocker.diskio.summary.opsdocker.diskio.write.bytesdocker.diskio.write.opsdocker.event.actiondocker.healthcheck.event.end_datedocker.healthcheck.event.exit_codedocker.healthcheck.failingstreakdocker.healthcheck.statusdocker.image.createddocker.image.id.currentdocker.image.id.parentdocker.image.size.regulardocker.image.size.virtualdocker.image.tags[0]docker.info.containers.pauseddocker.info.containers.runningdocker.info.containers.stoppeddocker.info.containers.totaldocker.info.iddocker.info.imagesevent.datasetevent.modulehost.namemetricset.nameservice.type
2026-03-10T06:41:21auto-dashboard-queriesjsongtksp2dMmrYg9WSX5CeYyU5V_2_11_17731248812026-03-10T06:41:21{"docker.image.id.current":"sha256:abcd1234efgh5678","metricset.name":"image","docker.image.size.regular":"133169152","docker.image.created":"2026-03-10T06:41:21.002Z","event.module":"docker","docker.image.tags":["nginx:latest"],"@timestamp":"2026-03-10T06:41:21.002Z","host.name":"docker-host-01","agent.type":"metricbeat","@type":"docker","event.dataset":"docker.image","agent.version":"7.11.1","docker.image.size.virtual":"133169152","docker.image.id.parent":"sha256:parent1234567890ab","service.type":"docker","_datagen_identifier":"bbe9c9c08ebf329bc648a36a3991a240"}0Zdockerbbe9c9c08ebf329bc648a36a3991a240metricbeat7.11.1                   2026-03-10T06:41:21.002Zsha256:abcd1234efgh5678sha256:parent1234567890ab133169152133169152nginx:latest      docker.imagedockerdocker-host-01imagedocker
2026-03-10T06:41:21auto-dashboard-queriesjsongtksp2dMmrYg9WSX5CeYyU5V_2_12_17731248812026-03-10T06:41:22{"@timestamp":"2026-03-10T06:41:21.801Z","event.module":"docker","host.name":"docker-host-02","container.image.name":"nginx:latest","agent.type":"metricbeat","metricset.name":"event","docker.event.action":"stop","docker.container.event.action":"start","_datagen_identifier":"bbe9c9c08ebf329bc648a36a3991a240","service.type":"docker","docker.container.event.type":"container","docker.container.event.from":"redis:6.2-alpine","container.id":"a1b2c3d4e5f6","container.name":"nginx-web","event.dataset":"docker.event","docker.container.event.status":"Up 2 hours","@type":"docker","agent.version":"7.12.0","docker.container.event.actor.id":"b2c3d4e5f6a7"}0Zdockerbbe9c9c08ebf329bc648a36a3991a240metricbeat7.12.0a1b2c3d4e5f6nginx:latestnginx-webstartb2c3d4e5f6a7redis:6.2-alpineUp 2 hourscontainer      stop                docker.eventdockerdocker-host-02eventdocker
2026-03-10T06:41:22auto-dashboard-queriesjsongtksp2dMmrYg9WSX5CeYyU5V_2_13_17731248822026-03-10T06:41:23{"docker.info.containers.paused":"0","docker.info.images":"15","metricset.name":"info","docker.info.containers.running":"5","agent.type":"metricbeat","host.name":"docker-host-03","event.module":"docker","@timestamp":"2026-03-10T06:41:22.581Z","agent.version":"7.13.2","@type":"docker","event.dataset":"docker.info","docker.info.containers.stopped":"2","docker.info.containers.total":"7","_datagen_identifier":"bbe9c9c08ebf329bc648a36a3991a240","service.type":"docker","docker.info.id":"ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ12:3456"}0Zdockerbbe9c9c08ebf329bc648a36a3991a240metricbeat7.13.2                         0527ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ12:345615docker.infodockerdocker-host-03infodocker
2026-03-10T06:41:23auto-dashboard-queriesjsongtksp2dMmrYg9WSX5CeYyU5V_2_14_17731248832026-03-10T06:41:24{"container.id":"c3d4e5f6a7b8","container.name":"redis-cache","_datagen_identifier":"bbe9c9c08ebf329bc648a36a3991a240","service.type":"docker","docker.healthcheck.failingstreak":"0","@type":"docker","event.dataset":"docker.healthcheck","agent.version":"7.14.0","agent.type":"metricbeat","container.image.name":"postgres:14","event.module":"docker","@timestamp":"2026-03-10T06:41:23.389Z","host.name":"swarm-manager-01","docker.healthcheck.status":"healthy","docker.healthcheck.event.end_date":"2026-03-10T06:41:23.389Z","metricset.name":"healthcheck","docker.healthcheck.event.exit_code":"0"}0Zdockerbbe9c9c08ebf329bc648a36a3991a240metricbeat7.14.0c3d4e5f6a7b8postgres:14redis-cache            2026-03-10T06:41:23.389Z00healthy            docker.healthcheckdockerswarm-manager-01healthcheckdocker
2026-03-10T06:41:24auto-dashboard-queriesjsongtksp2dMmrYg9WSX5CeYyU5V_2_15_17731248842026-03-10T06:41:24{"container.id":"d4e5f6a7b8c9","container.name":"postgres-db","service.type":"docker","_datagen_identifier":"bbe9c9c08ebf329bc648a36a3991a240","docker.diskio.read.ops":"125","docker.diskio.read.bytes":"1048576","docker.diskio.summary.bytes":"3145728","@type":"docker","event.dataset":"docker.diskio","docker.diskio.write.bytes":"2097152","agent.version":"7.15.1","docker.diskio.write.ops":"234","agent.type":"metricbeat","container.image.name":"mongo:5.0","event.module":"docker","@timestamp":"2026-03-10T06:41:24.187Z","host.name":"swarm-worker-01","docker.diskio.summary.ops":"359","metricset.name":"diskio"}0Zdockerbbe9c9c08ebf329bc648a36a3991a240metricbeat7.15.1d4e5f6a7b8c9mongo:5.0postgres-db     104857612531457283592097152234                 docker.diskiodockerswarm-worker-01diskiodocker

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] 2{{Aggregate}} 3>Augment Data] 4>Augment Data] 5{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    total_bytes:=(docker.network.in.bytes+docker.network.out.bytes)

    Computes a new field named total_bytes by summing docker.network.in.bytes and docker.network.out.bytes using an inline assignment expression. This derived field represents the total combined network traffic in bytes for each event, and is used as the basis for aggregation in the subsequent step.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] 2{{Aggregate}} 3>Augment Data] 4>Augment Data] 5{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | timechart(container.name, function=max(total_bytes), limit=10)

    Creates a timechart grouped by container.name, aggregating the maximum value of total_bytes per time bucket. The function parameter specifies max() to capture the peak total traffic per container within each time bucket, returning the result in the field _max. The limit parameter is set to 10, restricting the output to the top 10 containers by traffic volume. Each row in the output corresponds to a time bucket identified by the field _bucket.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] 2{{Aggregate}} 3>Augment Data] 4>Augment Data] 5{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | unit:convert(_max, from=b, to=mb)

    Converts the values in _max from bytes to megabytes. The from parameter is set to b and the to parameter is set to mb, transforming the raw byte counts into a more human-readable megabyte representation suitable for display in the widget.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] 2{{Aggregate}} 3>Augment Data] 4>Augment Data] 5{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | round(_max)

    Rounds the converted megabyte values in _max to the nearest whole number, removing decimal places to produce cleaner values for display in the widget table.

  6. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] 2{{Aggregate}} 3>Augment Data] 4>Augment Data] 5{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> result style 5 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | sort(_max, order=desc)

    Sorts the results by _max in descending order using sort(), with the order parameter set to desc. This ensures that the containers with the highest total network traffic appear at the top of the list, making it straightforward to identify the heaviest network consumers.

  7. Event Result set.

Summary and Results

The widget is used to identify the top 10 Docker containers by combined inbound and outbound network traffic, expressed in megabytes, by computing total bytes per event, aggregating the maximum over time per container, converting to megabytes, and sorting in descending order.

This widget is useful to operations and platform teams who need to monitor network traffic consumption across containers, quickly identifying which containers are the heaviest network users and whether any unexpected spikes in traffic may indicate performance issues or anomalous behaviour.

Sample output from the incoming example data:

_bucketcontainer.name
1773108900000rabbitmq-queue
1773091800000prometheus-monitor
1773108900000mongodb-data
1773108900000worker-01
1773108900000backend-api

The output shows one row per container per time bucket, with the container name in container.name and the time bucket timestamp in _bucket. The _max field containing the converted and rounded megabyte value is not populated in the sample result data shown here, as the incoming example events do not carry docker.network.in.bytes or docker.network.out.bytes field values.