https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/671727#M18113 <P>Hi.<BR />I use a lot the metrics.log Indexer side, to debug some bottleneck and/or stress inside the Infrastructure.</P><P>There is a field, i can't really understand at all,</P><P>&nbsp;</P><LI-CODE lang="markup">INFO Metrics - group=tcpin_connections x.x.x.x:50496:9997 connectionType=cookedSSL sourcePort=50496 sourceHost=x.x.x.x sourceIp=x.x.x.x destPort=9997 kb=15.458984375 _tcp_avg_thruput=7.262044477222557 _tcp_Kprocessed=589.84765625 [...]</LI-CODE><P>&nbsp;</P><P>It's the "<STRONG><EM>tcp_Kprocessed"</EM> </STRONG>field,<BR /><SPAN class=""><SPAN class=""><SPAN class="">especially related to the field</SPAN></SPAN></SPAN> "<EM><STRONG>kb</STRONG></EM>", which is <SPAN class=""><SPAN class=""><SPAN class="">the most important, in my opinion</SPAN></SPAN></SPAN>.</P><P>What is in practice "<STRONG><EM>tcp_Kprocessed</EM></STRONG>", considering that its values are often very inconsistent and not proportionate to the kb?</P><P>Thanks.</P> Wed, 13 Dec 2023 13:38:23 GMT verbal_666 2023-12-13T13:38:23Z https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/671727#M18113 <P>Hi.<BR />I use a lot the metrics.log Indexer side, to debug some bottleneck and/or stress inside the Infrastructure.</P><P>There is a field, i can't really understand at all,</P><P>&nbsp;</P><LI-CODE lang="markup">INFO Metrics - group=tcpin_connections x.x.x.x:50496:9997 connectionType=cookedSSL sourcePort=50496 sourceHost=x.x.x.x sourceIp=x.x.x.x destPort=9997 kb=15.458984375 _tcp_avg_thruput=7.262044477222557 _tcp_Kprocessed=589.84765625 [...]</LI-CODE><P>&nbsp;</P><P>It's the "<STRONG><EM>tcp_Kprocessed"</EM> </STRONG>field,<BR /><SPAN class=""><SPAN class=""><SPAN class="">especially related to the field</SPAN></SPAN></SPAN> "<EM><STRONG>kb</STRONG></EM>", which is <SPAN class=""><SPAN class=""><SPAN class="">the most important, in my opinion</SPAN></SPAN></SPAN>.</P><P>What is in practice "<STRONG><EM>tcp_Kprocessed</EM></STRONG>", considering that its values are often very inconsistent and not proportionate to the kb?</P><P>Thanks.</P> Wed, 13 Dec 2023 13:38:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/671727#M18113 verbal_666 2023-12-13T13:38:23Z https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672033#M18142 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/28550">@verbal_666</a>&nbsp; I think this is the volume indexed.</P><P>&nbsp;</P> Fri, 15 Dec 2023 14:23:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672033#M18142 splunkreal 2023-12-15T14:23:13Z https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672035#M18143 <P>I'm counting the "<STRONG><EM>kb</EM></STRONG>" as volume of data received and ingected into Indexers.<BR />Is this wrong, so?</P><P>So, what's the relation beetwen "<EM><STRONG>kb</STRONG></EM>" and "<STRONG><EM>tcp_Kprocessed</EM></STRONG>" ?</P><P>I'm still in doubt <span class="lia-unicode-emoji" title=":thinking_face:">🤔</span><span class="lia-unicode-emoji" title=":thinking_face:">🤔</span><span class="lia-unicode-emoji" title=":thinking_face:">🤔</span></P> Fri, 15 Dec 2023 14:35:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672035#M18143 verbal_666 2023-12-15T14:35:43Z https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672037#M18144 <P>Seems tcp_kprocessed is total&nbsp;<SPAN>transferred data and kb the volume indexed for that particular event.</SPAN></P><P><SPAN>You may submit support ticket for further information as this doesn't look documented.</SPAN></P> Fri, 15 Dec 2023 14:41:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672037#M18144 splunkreal 2023-12-15T14:41:21Z https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672038#M18145 <P>Maybe could be</P><P><STRONG><EM>tcp_Kprocessed</EM></STRONG> == Kb received by the receiver as a packet of events<BR /><STRONG><EM>kb</EM></STRONG> == the real Kb (compressed) written on Indexer storage</P><P>So, for my purposes, i keep on using the sum of "<STRONG><EM>kb</EM></STRONG>" as volume of data from UF to Indexers.</P><P>Yes, it's not documented at all <span class="lia-unicode-emoji" title=":face_with_rolling_eyes:">🙄</span><span class="lia-unicode-emoji" title=":face_with_rolling_eyes:">🙄</span><span class="lia-unicode-emoji" title=":face_with_rolling_eyes:">🙄</span>🤷‍<span class="lia-unicode-emoji" title=":male_sign:">♂️</span></P><P>Thanks!</P> Fri, 15 Dec 2023 14:47:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672038#M18145 verbal_666 2023-12-15T14:47:17Z https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672039#M18146 <P>yes, sounds logic <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>You can add idea to document these fields at&nbsp;<A href="https://ideas.splunk.com/ideas/new" target="_blank">https://ideas.splunk.com/ideas/new</A></P> Fri, 15 Dec 2023 14:49:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672039#M18146 splunkreal 2023-12-15T14:49:03Z https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672096#M18148 <P>Yep!</P><P>Le't stay as said... if someone else wants to add something, you're welcome,</P><P><STRONG><EM>tcp_Kprocessed</EM></STRONG> == Kb received by the receiver as a packet of events<BR /><STRONG><EM>kb</EM></STRONG> == the real Kb (compressed) written on Indexer storage</P><P>Explicit and simple,</P><P><STRONG><EM>tcp_Kprocessed</EM></STRONG> == the Networking thruput of events packet<BR /><STRONG><EM>kb</EM></STRONG> == the Compressed Data written to Indexer Storage of previous packet</P><P><span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> Sat, 16 Dec 2023 08:04:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/Metrics-log-some-information/m-p/672096#M18148 verbal_666 2023-12-16T08:04:51Z