topic Re: Bandwidth usage from Firewall in Splunk Search

Bandwidth usage from Firewall

jparrenas26 — Mon, 22 Feb 2021 23:41:25 GMT

I'm looking to create a bandwidth chart showing the bandwidth traffic our firewall over a time period and converting the data from bytes to GB. Currently this is the search I'm running:

index=firewall host="HQ-5020-1.firstagain.local"
| stats sum(bytes_in) as Received,sum(bytes_out) as Sent by dest_interface
| rename dest_interface as Interface
| eval Bandwidth=round(bytes_in/1024/1024/1024,2)
| eval Bandwidth=Received + Sent

However the conversion is not working and I cannot figure out how to get the time period to work. It shows the interface but when I try a visualization, I only see the 1 data point where I would like to see either an "over time" type of graph.

Re: Bandwidth usage from Firewall

to4kawa — Mon, 22 Feb 2021 23:47:55 GMT

index=firewall host="HQ-5020-1.firstagain.local" | stats sum(bytes_in) as Received,sum(bytes_out) as Sent by dest_interface ``` bytes_in field is gone.``` | rename dest_interface as Interface | convert memg(Recieved) memg(Sent) | eval Bandwidth=round(Received + Sent,2)

Re: Bandwidth usage from Firewall

jparrenas26 — Tue, 23 Feb 2021 00:00:32 GMT

Thank you for the quick response. I tried the memg command but I'm receiving an error: Error in 'convert' command: The conversion type 'memg' is invalid. The only one that works is memk.

Re: Bandwidth usage from Firewall

to4kawa — Tue, 23 Feb 2021 00:14:46 GMT

| tstats count where index=_internal | eval count = (count)."g" | convert memk(count) as gigabyte

It was the opposite, wasn't it?
Please do the eval twice.

eval Sent = bytes_out /1024/1024/1024

eval Received = byte_in /1024 /1024 /1024

Re: Bandwidth usage from Firewall

jparrenas26 — Tue, 23 Feb 2021 00:39:23 GMT

The first query seemed to be more of what we were looking for. I've added a screenshot from our monitoring software, and we're looking for something similar to this as a dashboard. My mistake on not adding this sooner.

So basically this portion: index=firewall host="HQ-5020-1.firstagain.local" dest_interface=ethernet1/12
would be used to show the bytes in and bytes out, and then the total bytes would be calculated to show the amount of bandwidth used. This would be represented on the chart in Mb. I know it's asking much, but let me know what other information is needed.

Re: Bandwidth usage from Firewall

to4kawa — Tue, 23 Feb 2021 01:00:47 GMT

index=firewall host="HQ-5020-1.firstagain.local" | bin _time span=1min | stats sum(bytes_in) as Received,sum(bytes_out) as Sent by _time dest_interface | rename dest_interface as Interface | eval Received=Received / 1024 / 1024, Sent = Sent / 1024 / 1024 | eval Bandwidth=round(Received + Sent,2)

Viz >> Line Chart with trellis by Interface

sample:

| tstats count where index=_internal by _time span=1h sourcetype | fields - count | eval bytes_out=random() / 1024 , bytes_in=random() / 1024 | stats sum(bytes_out) as Sent sum(bytes_in) as Received by _time sourcetype | rename sourcetype as Interface | eval Bandwidth = round( Sent + Received , 2)

Re: Bandwidth usage from Firewall

jparrenas26 — Tue, 23 Feb 2021 01:04:40 GMT

Perfect, that is exactly what we were looking for. Thank you so much!