All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate Bandwidth Utilization Using SNMP?

dailv1808
Path Finder
‎05-28-2018 03:29 AM

This is snmp log of some network device interface. How to calculate Bandwidth each interface?

IF-MIB::ifName."436207616" = "Ethernet1/1" IF-MIB::ifOutOctets."436207616" = "2206740419" IF-MIB::ifInOctets."436207616" = "1813149511" IF-MIB::ifSpeed."436207616" = "4294967295" IF-MIB::ifName."436211712" = "Ethernet1/2" IF-MIB::ifOutOctets."436211712" = "1088361704" IF-MIB::ifInOctets."436211712" = "4096669700" IF-MIB::ifSpeed."436211712" = "4294967295" .....

Any reply is welcome, thank for advance!

band.png
Preview file
91 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎05-30-2018 03:32 AM

Ok, been playing around a bit with it myself in the meantime, to grab bandwidth statistics from my asus router.

Few notes on using the SNMP add on:

  • it allows you to split the data by setting split_bulk_output = 1 in inputs.conf. Which removes the need for messing with that LINE_BREAKER stuff manually.
  • applying sourcetype = snmp_ta get's me some nice field extractions out of the box.

This is the snmp input config I have:

[snmp://asus-wrt]
activation_key = ***
communitystring = public
destination = 192.168.2.1
do_bulk_get = 0
do_get_subtree = 1
host = rt-ac87u-1d50
index = testdata
ipv6 = 0
mib_names = IF-MIB
object_names = 1.3.6.1.2.1.2
port = 161
snmp_mode = attributes
snmp_version = 2C
sourcetype = snmp_ta
split_bulk_output = 1
trap_rdns = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

This is the search I came up with to calculate bandwidth usage (example for ifInOctets, note: snmp_index selects 1 specific network interface):

index=testdata sourcetype=snmp_ta snmp_index=8 oid=ifInOctets
| sort _time
| delta ifInOctets as deltaO
| delta _time as deltaT
| table _time,ifInOctets,deltaT,deltaO
| eval KBps = round(deltaO/deltaT/1000,2)

It uses the delta command to calculate the difference in Octet count as well as the difference in time (in seconds) between events and divides the two to calculate the avg KB per second during that timeslot. The | sort _time is needed to get positive delta values and have an actual delta value for your latest event.

An alternative using streamstats (which allows the use of a by-clause)

index=testdata sourcetype=snmp_ta
| eventstats values(ifDescr) as ifDescr by snmp_index
| search oid=ifInOctets
| sort _time
| streamstats window=2 global=false range(ifInOctets) as InOctets range(_time) as secs by ifDescr
| timechart avg(eval(InOctets/secs)) by ifDescr

I'm getting some weird data out of this, which doesn't match the actual bandwidth usage, but I think that may be some issue with the asus device (nat acceleration feature seems to give unreliable network stats), not with how I calculate things in Splunk. Please give it a try and see what you're results are!

View solution in original post

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top