topic Re: How to calculate bandwidth utilization on an snmp interface from one point to another in Splunk Search

How to calculate bandwidth utilization on an snmp interface from one point to another

bidahor13 — Tue, 29 Sep 2020 06:48:14 GMT

Hi,

I keep getting negative values on my chart when i run my search below.All I'm trying to do is calculate the bandwidth utilization from my switches to another. Put into consideration - assuming the switches are in different building location. I'' ll be glad if someone could help me out.

Here is my search below:

index=snmp dst_device="mdf1" src_device="mdf2"

| delta snmpIfInOctets as transferedIn|delta snmpIfOutOctets as transferedOut
|delta _time as period
| eval transferedBitsIn=transferedIn*8/period|eval transferedBitsOut=transferedOut*8/period| fields + _time, source, snmpIfSpeed, transferedBitsIn, transferedBitsOut| timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

somesoni2 — Wed, 29 Jul 2015 21:36:10 GMT

Could you provide some sample logs on how your events looks like?

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

bidahor13 — Tue, 29 Sep 2020 06:52:36 GMT

Hi somesoni2,

here a line of my log file from one of my switches :

1199999: Jul 29 22:33:01: %SEC-1-IP------: list VLAN64_RS_Out permitted udp (TenGigabitEthernet5/1 ) -> (port number), 1 packet

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

woodcock — Thu, 30 Jul 2015 16:22:06 GMT

Too many deltas. Each event already has the bytes transferred; you just need how long it took. Try this:

index=snmp dst_device="mdf1" src_device="mdf2" |delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

bidahor13 — Fri, 31 Jul 2015 16:20:34 GMT

Hi Woodcook,

Thanks for the feedback. I think we are almost there. But, for some reason I keep getting this error message whenever I try to populate my graph when running the search over 7 days or 30 days : See below

These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached.

Also, why do I get negative value for each link ? I'm more concerned about getting the aggregate bandwidth usage over 30 days .

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

woodcock — Fri, 31 Jul 2015 16:55:50 GMT

I don't know what you mean by each link but if all of your values are negative, you can fix it by reversing the events like this:

index=snmp dst_device="mdf1" src_device="mdf2" |reverse | delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | timechart span=10m sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source

As far as the truncatoin warning, it is just as it says: you need to be sure to limit the number of points on the graph to < 1000. To do this, you need to enlarge your timechart from span=10m to something like span=1h (or maybe even larger for 30 days). If you need aggregate, why are you using timechart? Why are you not generating a single value like this with stats?

index=snmp dst_device="mdf1" src_device="mdf2" |reverse | delta _time as period | eval transferedBitsIn=snmpIfInOctets*8/period | eval transferedBitsOut=snmpIfOutOctets*8/period | stats sum(transferedBitsIn) as Input sum(transferedBitsOut) as output by source

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

bidahor13 — Fri, 31 Jul 2015 17:27:31 GMT

So, this is what I'm trying to achieve : I want o calculate the aggregate bandwidth(xxGB/s) for each link (for instance A1-MDF1 -> B2-MDF1) .so, i can evaluate a 30 days 95th percent utilization on each link ( like A1-MDF1 -> B2-MDF1) . Hope that helps.

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

woodcock — Fri, 31 Jul 2015 18:08:20 GMT

Why are you doing it with such discrete calculations? Why not do it in a much simpler and broader way, like this:

 index=snmp | eval link=if(src_device<dst_device, src_device, dst_device) . "<->" . if(src_device<dst_device, dst_device, src_device) | stats earliest(_time) AS firstTime latest(_time) AS lastTime sum(snmpIfInOctets) as InputBits sum(snmpIfOutOctets) as outputBits by link | eval TotalBytes = 8*(inputBits + outputBits) | eval Bandwidth=TotalBytes/(lastTime-firstTime)

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

bidahor13 — Tue, 29 Sep 2020 06:51:37 GMT

This looks good by the the way . Is there a way to add a spark-line to show the bandwidth utilization for each link (src_device, dst_device)?

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

bidahor13 — Fri, 31 Jul 2015 21:33:34 GMT

Oops, what about the bandwidth result? It wasn't used in your suggested search above?

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

woodcock — Fri, 31 Jul 2015 22:39:05 GMT

The search that I gave you calculates a single bandwidth value for each "link" but you have to "use" it as you see fit (I don't know what your end goal is). As far as sparkline, you can do that like this:

index=snmp | eval link=if(src_device<dst_device, src_device, dst_device) . "<->" . if(src_device<dst_device, dst_device, src_device) | bucket _time span=1h | stats earliest(_time) AS firstTime latest(_time) AS lastTime sum(snmpIfInOctets) as InputBits sum(snmpIfOutOctets) as outputBits by link _time | eval TotalBytes = 8*(inputBits + outputBits) | eval Bandwidth=TotalBytes/(lastTime-firstTime) | stats sparkline(avg(Bandwidth),1h) as BandwidthPerHour

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

bidahor13 — Mon, 03 Aug 2015 21:10:10 GMT

Hello Woodcook,

So, i tried the search you sent- But, there are no data or
sparkline data coming up?

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

woodcock — Mon, 03 Aug 2015 21:13:35 GMT

Your comment was truncated but the only way that I can see for it not to work is if you did not run it for more than an hour. Try changing the 1h to 1m instead.

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

MuS — Mon, 03 Aug 2015 21:17:37 GMT

if you want to search more than an hour use 1mon instead of 1m - m is for minutes http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Specifytimemodifiersinyoursearch#Specify_relative_time_ranges_in_your_search

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

bidahor13 — Mon, 03 Aug 2015 22:02:27 GMT

Same problem no report coming up on Splunk. Just data on the Events.

Re: How to calculate bandwidth utilization on an snmp interface from one point to another

woodcock — Mon, 03 Aug 2015 22:04:03 GMT

You should probably start over with a new question so that you can start with a concise description and so that more people will take a fresh look at it.