https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216800#M63661 <P>Hope this helps you.</P> <P>Apache access_log sample:<BR /> 127.0.0.1 - - [22/Jun/2016:15:19:48 -0700] "GET /uri/sample/path HTTP/1.1" 200 20 15515</P> <P>I created an extracted field called apache_byte_size on the second column from the very right. In this example the number of bytes = 20. I change the search to the time frame that I want.</P> <P>Sample Splunk search:<BR /> index=apache host=hostname sourcetype=access_log | stats sum(apache_byte_size)</P> Tue, 29 Sep 2020 10:01:50 GMT wongea 2020-09-29T10:01:50Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216797#M63658 <P>I can pull the Apache access_log into Splunk, but I can't figure out now to write a search that will give the total number of bytes that Apache sends to browsers over a period of time. Anyone have one to share? </P> <P>Thanks.</P> Wed, 22 Jun 2016 16:01:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216797#M63658 spunkyg 2016-06-22T16:01:59Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216798#M63659 <P>what's the format of your logs? can you show some sample events with fields?</P> Wed, 22 Jun 2016 21:44:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216798#M63659 sk314 2016-06-22T21:44:11Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216799#M63660 <P>I think we are using the combined log format. In the sample entries below, empty fields are indicated by hyphens. The number of bytes sent to the client browser is indicated in the seventh field from the left. In the first sample, the value for bytes is 12. In the second sample, it is 8369.</P> <P>10.107.88.13 - - [22/Jun/2016:03:43:24 -0500] "GET /" 200 12 "-" "-" - - - "-" "-" libweb-devel-cluster.example.com 80 SSL-off 2507 49683 -</P> <P>68.180.229.190 - - [22/Jun/2016:04:22:49 -0500] "GET /tejanovoices/interview.php?cmasno=113 HTTP/1.1" 200 8369 "-" "Mozilla/5.0 (c<BR /> ompatible; Yahoo! Slurp; <A href="http://help.yahoo.com/help/us/ysearch/slurp)">http://help.yahoo.com/help/us/ysearch/slurp)</A>" - - - "-" "library.example.com" library.example.com 80 SSL-off 4447<BR /> 1 44226 +</P> Wed, 22 Jun 2016 22:05:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216799#M63660 spunkyg 2016-06-22T22:05:17Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216800#M63661 <P>Hope this helps you.</P> <P>Apache access_log sample:<BR /> 127.0.0.1 - - [22/Jun/2016:15:19:48 -0700] "GET /uri/sample/path HTTP/1.1" 200 20 15515</P> <P>I created an extracted field called apache_byte_size on the second column from the very right. In this example the number of bytes = 20. I change the search to the time frame that I want.</P> <P>Sample Splunk search:<BR /> index=apache host=hostname sourcetype=access_log | stats sum(apache_byte_size)</P> Tue, 29 Sep 2020 10:01:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216800#M63661 wongea 2020-09-29T10:01:50Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216801#M63662 <P>Based on your answer, I created the following search that works in our load-balanced environment. Thank you!</P> <P>source="/var/log/httpd/access_log" host="webprod-1.example.com" OR host="webprod-2.example.com" | stats sum(bytes)</P> Thu, 23 Jun 2016 13:46:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Apache-access-log-data-to-find-bandwidth-usage-as/m-p/216801#M63662 spunkyg 2016-06-23T13:46:46Z