https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303207#M40072 <P>I'm reading through <A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Aboutmetricslog">https://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Aboutmetricslog</A> trying to put together some analysis of forwarders in a timechart. I'm noticing that the tcp_KBps numbers are always higher than I would expect them to be. Shouldn't they essentially just be kb/60, if my bucket were 1 minute for instance?</P> <P>Take the following two timecharts:</P> <PRE><CODE>index=_internal sourcetype=splunkd host=*hf* group=tcpin_connections hostname=* | timechart span=1m sum(tcp_KBps) as "KBps" by host limit=50 index=_internal sourcetype=splunkd host=*hf* group=tcpin_connections hostname=* | timechart span=1m sum(kb) as "KB" by host limit=50 </CODE></PRE> <P>Shouldn't I expect in this case that the bottom results should be essentially 60x per host per bucket compared to the top? That's not what I'm seeing. I see them follow the same trends however the numbers do not add up. For instance I will see a kb value of 676,000 and a kbps of 27,500 for the same host on the same minutely time bucket. Shouldn't the kbps be around 11,266? What am I missing here?</P> Thu, 11 Jan 2018 21:50:33 GMT briancronrath 2018-01-11T21:50:33Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303207#M40072 <P>I'm reading through <A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Aboutmetricslog">https://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Aboutmetricslog</A> trying to put together some analysis of forwarders in a timechart. I'm noticing that the tcp_KBps numbers are always higher than I would expect them to be. Shouldn't they essentially just be kb/60, if my bucket were 1 minute for instance?</P> <P>Take the following two timecharts:</P> <PRE><CODE>index=_internal sourcetype=splunkd host=*hf* group=tcpin_connections hostname=* | timechart span=1m sum(tcp_KBps) as "KBps" by host limit=50 index=_internal sourcetype=splunkd host=*hf* group=tcpin_connections hostname=* | timechart span=1m sum(kb) as "KB" by host limit=50 </CODE></PRE> <P>Shouldn't I expect in this case that the bottom results should be essentially 60x per host per bucket compared to the top? That's not what I'm seeing. I see them follow the same trends however the numbers do not add up. For instance I will see a kb value of 676,000 and a kbps of 27,500 for the same host on the same minutely time bucket. Shouldn't the kbps be around 11,266? What am I missing here?</P> Thu, 11 Jan 2018 21:50:33 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303207#M40072 briancronrath 2018-01-11T21:50:33Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303208#M40073 <P>I think you have a units mismatch. Kbps is kilo-bits per second. kb is kilobytes (with no rate).</P> Thu, 11 Jan 2018 21:57:25 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303208#M40073 micahkemp 2018-01-11T21:57:25Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303209#M40074 <P>Are you sure about that? From the doc:</P> <P>_tcp_Bps is the bytes transmitted during the metrics interval divided by the duration of the interval (in seconds)<BR /> _tcp_KBps is the same value divided by 1024<BR /> _tcp_avg_thruput is an average rate of bytes sent since the last time the tcp output processor was reinitialized/reconfigured. Typically this means an average since Splunk started.<BR /> _tcp_KProcessed is the total number of bytes written since the processor was reinitialized/reconfigured, divided by 1024.<BR /> _tcp_eps is the number of items transmitted during the interval divided by the direction of the interval (in seconds). Note that items will frequently not be events for universal/light forwarders (instead, data chunks)<BR /> kb is the bytes transmitted during the metrics interval divided by 1024.</P> Tue, 29 Sep 2020 17:37:55 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303209#M40074 briancronrath 2020-09-29T17:37:55Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303210#M40075 <P>You're right, according to that _tcp_KBps is indeed kilobytes per second.</P> Tue, 29 Sep 2020 17:37:58 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303210#M40075 micahkemp 2020-09-29T17:37:58Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303211#M40076 <P>Is it possible that the metrics intervals don't line up? Maybe there is only one <CODE>kb</CODE> value every 10 minutes, but <CODE>kbps</CODE> every minute?</P> Thu, 11 Jan 2018 22:06:30 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303211#M40076 micahkemp 2018-01-11T22:06:30Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303212#M40077 <P>By the way,actually it is opposite, <CODE>KBps</CODE> is <CODE>kilo-bytes</CODE> and <CODE>kb</CODE> is <CODE>kilo-bit</CODE>.</P> Fri, 12 Jan 2018 04:52:56 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303212#M40077 mayurr98 2018-01-12T04:52:56Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303213#M40078 <P>I certainly would have expected <CODE>B</CODE>=bytes, <CODE>b</CODE>=bits, but the paste from the docs suggests otherwise.</P> Fri, 12 Jan 2018 05:15:54 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303213#M40078 micahkemp 2018-01-12T05:15:54Z https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303214#M40079 <P>Sorry guys for bringing this old topic up, but as the main question remained kinda unexplained, I'd be glad to see it finally clarified. I've to deal with the same confusion about the values and it drives me crazy, as it makes thruput troubeshooting really annoying. I've got a Splunk 7.3.3 in front of me running for several hours with Metric events that are gathered within a 60s time interval:</P> <PRE>[...] kb=95143.5849609375, _tcp_Bps=2064499.2670550928, _tcp_KBps=2016.112565483489, _tcp_avg_thruput=2016.112565483489, _tcp_Kprocessed=95143.5849609375, _tcp_eps=2806.537391302746 [...]</PRE> <P>Latest docs (currently 8.01) still say what brian has quoted above:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Aboutmetricslog#Tcpout_Connections_messages" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Aboutmetricslog#Tcpout_Connections_messages</A> </P> <P>But no matter how I try to align _tcp_KBps and kb (bits or bytes), they don't fit:<BR /> (95143 / 8 bit) / 60 sec ~ 198 <BR /> 95143 / 60 sec ~ 1586, which is still far away from the 2016<BR /> Funny to mention: _tcp_avg_thruput is identical to _tcp_KBps in my example, but should be measured in bytes(!) according to the documentation.</P> <P>Any idea, why these values don't line up and which one to trust?</P> Wed, 30 Sep 2020 03:57:41 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Why-doesn-t-the-kb-and-tcp-KBps-numbers-line-up/m-p/303214#M40079 smichalski 2020-09-30T03:57:41Z