topic Re: Splunk instance to Splunk instance bandwidth utilization Report in Reporting

Splunk instance to Splunk instance bandwidth utilization Report

ansif — Mon, 04 Dec 2017 12:53:53 GMT

Is there a search query to check bandwidth utilized between to Splunk instance(eg:- Heavy forwarder to Heavy forwarder data being sent)?

Re: Splunk instance to Splunk instance bandwidth utilization Report

nickhills — Mon, 04 Dec 2017 13:05:02 GMT

Splunk Stream will answer this for you at the wire level , but you will want in install it on the recievingside, because otherwise the traffic it generates will get included in your results too!

If you are just concerned about the volume of data being indexed you can obtain this from the metrics log, but it wont give you an accurate picture of actual bytes transmitted etc, especially because it does not take account of the compression and transmission overheads of TCP/SSL etc.

Re: Splunk instance to Splunk instance bandwidth utilization Report

ansif — Mon, 04 Dec 2017 13:09:03 GMT

So I need to install this app at receiving side Heavy forwarder to get amount data transmitted over network right?

Re: Splunk instance to Splunk instance bandwidth utilization Report

harsmarvania57 — Mon, 04 Dec 2017 13:25:00 GMT

Will you please try this query ?

    index=_internal host=<SOURCE HF FQDN> source="*metrics.log*" destIp=<DEST HF IP> component=Metrics group=tcpout_connections | timechart avg(tcp_KBps) AS avg_KBps

Re: Splunk instance to Splunk instance bandwidth utilization Report

nickhills — Mon, 04 Dec 2017 13:28:06 GMT

You question said "Heavy forwarder to Heavy forwarder" - so I would install it on the receiving HF.

The problem with putting it on the sending HF, is that the sending HF can essentially generate 'logs of logs'
(Not a big deal, unless you are trying to measure the volume sent as you are)

Re: Splunk instance to Splunk instance bandwidth utilization Report

nickhills — Mon, 04 Dec 2017 13:35:04 GMT

This will get you some of the way there - but the metrics file wont take account of DS/management traffic (not that it would be very much) but also I believe this reports the uncompressed & decoded data volume.
Not for example taking account of compression efficiency or normal TCP overheads like SSL.
It depends what @ansif is asking for - but if its total 'bytes on the wire' I'm not sure how close the metrics log would get you.

Re: Splunk instance to Splunk instance bandwidth utilization Report

harsmarvania57 — Mon, 04 Dec 2017 14:21:30 GMT

Yes, it looks like metrics.log is giving compressed log information not the actual one.

Re: Splunk instance to Splunk instance bandwidth utilization Report

ansif — Tue, 05 Dec 2017 07:25:18 GMT

@nickhillscpl : If I am sending compressed data (compress = true) from HF to HF,using this app I am able to get the compressed data being sent over network per day.Am I right?

Actually I have similar question unanswered

https://answers.splunk.com/answers/593582/search-query-to-get-amount-of-compressed-data-hitt.html

Does this answer applicable for above question too?

Re: Splunk instance to Splunk instance bandwidth utilization Report

ansif — Tue, 05 Dec 2017 07:27:04 GMT

@harsmarvania57 : I need to know the compression ratio. So can we confirm the search result give us compressed data usage over network before it get uncompressed and indexed at receiving end.

Re: Splunk instance to Splunk instance bandwidth utilization Report

nickhills — Tue, 05 Dec 2017 08:31:45 GMT

Stream will tell you the actual volume of data 'on the wire'.
That is to say the total number of bytes sent between hosts, so yes, this will be the compressed data volume + overheads.

I'll drop a note on your other issue.