topic Network throughput monitor in Getting Data In

Network throughput monitor

demonspork — Mon, 04 Oct 2010 09:22:23 GMT

I am trying to use *NIX to monitor my network throughput statistics and graph them nicely, I am currently using Bandwidthd but I would like to get it all usable in one interface. Everything else worked perfectly, CPU, Memory, faiiled login detection, everything graphs nicely. But when I try to monitor the network by throughput, I get this at the top of the page: Specified field(s) missing from results: 'TX_Thruput'

running locally on Ubuntu 10.04 splunk 4.1.5 build 85165. I have all of the options checked for the *NIX configuration. I checked out the searches suggested in http://answers.splunk.com/questions/4287/measure-throughput-eps-kbps-per-input but they return no results.

Re: Network throughput monitor

Simeon — Tue, 05 Oct 2010 00:20:56 GMT

Without seeing the output of each event in the search window, this will be hard to answer. I strongly suspect your field for TX_Thruput is not extracted by default. Typically, Splunk finds the fields you want to use automatically, but there are some cases where you must configure Splunk to properly extract fields. You will need to create a field extraction for the TX_Thruput field. You can do this via the interactive field extraction tool or via a rex command.

Re: Network throughput monitor

demonspork — Mon, 28 Sep 2020 09:18:32 GMT

args = host
definition = index="os" sourcetype="interfaces" host=* | multikv fields name, inetAddr, RXbytes, TXbytes | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name | eval time=_time | strcat Name "-" inetAddr "@" host Interface_Host | eval RX_Thruput = lastRX-RXbytes | eval TX_Thruput = lastTX-TXbytes | timechart eval(sum(TX_Thruput)/dc(time)) by Interface_Host

is the line in the unix app files that seems that it is supposed to do this task. I run that search manually and it gives the error about missing fields.

Re: Network throughput monitor

asleeis — Tue, 19 Oct 2010 07:18:09 GMT

Anyone have an update on this? I'm seeing this as well. When simply querying all events the "interfaces" sourcetype (for index, "os") under the unix app, it doesn't seem to be defining fields for these. I would think that the Unix app should have defined these, no? The headers are more funky than your basic "X=Y" output... it's a column based output (headers). But still... it's been like this for this command on Linux for a long time.

Anyone? Is this just a bug in the Unix app that needs fixing?

Re: Network throughput monitor

asleeis — Tue, 19 Oct 2010 11:00:09 GMT

I'm not sure of actual cause.... but what I noticed in the data was that the output from "interface.sh" was including the virtual interfaces (i.e. not eth0:0, eth0:1, etc.). Those do not end up reporting all the data like the actual interface (eth0) does. I'm thinking that multikv has issues when there's no value between field separators of the "table" (i.e. two tabs with nothing in between).

Since I didn't care about the virtuals (as the data for those are included in the main interface), I modified interface.sh to exclude virtual interfaces. My method was cludgy, but seems to work. I piped the output of the command that gathered the interface list to "grep -v ':'" for the Linux section.

Bingo! Data starts getting parsed, fields defined, and graphs looking all pretty!