topic Re: Stats against timechart in Splunk Search

Stats against timechart

hlarimer — Tue, 04 Aug 2015 20:50:19 GMT

I have a search that I can use in a dashboard that gives me statistical data about bandwidth usage on a firewall. I have a drop down that sets the location ($location$) that the user wants to query and then shows them the max mbps up and down. Here is that search:

index=pan_logs sourcetype=pan_traffic src_zone=ClientVPNZone OR src_zone=trust dst_zone=Untrust  $location$  
|  eval mbits_sec_down=(bytes_received/elapsed_time)*8/1000/1000 
| eval mbits_sec_up=(bytes_sent/elapsed_time)*8/1000/1000 
| timechart span=1s sum(mbits_sec_down) AS Down, sum(mbits_sec_up) AS  Up 
| stats max(*)

I would like to create a report that shows bandwidth usage per site and thought it would be as simple as adding "by host" to the end but the search doesn't show anything under the statistics tab. I'm assumed the host information isn't being sent to the last stats command so I tried adding "by host" to the timechart command but it still doesn't show results.

Any ideas on how to get this report?

Re: Stats against timechart

somesoni2 — Tue, 04 Aug 2015 21:24:17 GMT

Try this...

 index=pan_logs sourcetype=pan_traffic src_zone=ClientVPNZone OR src_zone=trust dst_zone=Untrust  $location$  
 |  eval mbits_sec_down=(bytes_received/elapsed_time)*8/1000/1000 
 | eval mbits_sec_up=(bytes_sent/elapsed_time)*8/1000/1000  | bucket span=1s _time
 | stats sum(mbits_sec_down) AS Down, sum(mbits_sec_up) AS  Up by _time host | fields - _time
 | stats max(*) as * by host

Re: Stats against timechart

somesoni2 — Tue, 04 Aug 2015 21:24:53 GMT

Bucket + stats will give similar result as timechart.

Re: Stats against timechart

hlarimer — Tue, 04 Aug 2015 21:32:18 GMT

I didn't get any results off of the search listed in your first response

Re: Stats against timechart

hlarimer — Tue, 04 Aug 2015 21:34:20 GMT

I take that back, I had to remove the variable name left in there from the dashboard and I'm seeing data now.

Re: Stats against timechart

woodcock — Tue, 04 Aug 2015 21:38:42 GMT

You lost host at timechart so you need to keep it there like this:

index=pan_logs sourcetype=pan_traffic src_zone=ClientVPNZone OR src_zone=trust dst_zone=Untrust  $location$ | eval mbits_sec_down=(bytes_received/elapsed_time)*8/1000/1000 | eval mbits_sec_up=(bytes_sent/elapsed_time)*8/1000/1000 | timechart span=1s sum(mbits_sec_down) AS Down, sum(mbits_sec_up) AS Up by host | stats max(*) by host

Re: Stats against timechart

hlarimer — Tue, 04 Aug 2015 21:40:40 GMT

That's what I was thinking but when I tried that it still didn't give me any data

Re: Stats against timechart

somesoni2 — Tue, 04 Aug 2015 21:41:19 GMT

You would loose host even after specifying it in by clause of timechart (the host values will appear as field name).

Re: Stats against timechart

woodcock — Tue, 04 Aug 2015 21:45:34 GMT

Yes, of course, you need this:

index=pan_logs sourcetype=pan_traffic src_zone=ClientVPNZone OR src_zone=trust dst_zone=Untrust  $location$ | eval mbits_sec_down=(bytes_received/elapsed_time)*8/1000/1000 | eval mbits_sec_up=(bytes_sent/elapsed_time)*8/1000/1000 | bucket _time span=1s | stats sum(mbits_sec_down) AS Down, sum(mbits_sec_up) AS Up by _time host | stats max(*) by host

Which I see @somesoni2 has already noted (what he said).