Need Linux equivalent query for network traffic st...

NK · ‎08-20-2024

Using Splunk Add-on for Microsoft Windows, Splunk Add-on for Unix and Linux on Splunk Enterprise v9.3.0

What are the Linux (RHEL 8 ) equivalents for these Splunk Windows queries?

e.g. Network Traffic:

Windows:

index=wmi host=MyWindowsHost sourcetype="Perfmon:Network Interface" counter=Bytes* | timechart span=15m max(Value) as "Bytes/sec" by counter

Linux:
?

e.g. CPU:

Windows:

index=wmi host=MyWindowsHost sourcetype="Perfmon:CPU Load" | timechart span=15m max(Value) as "CPU Load" by counter

Linux:

index=os host=MyLinuxHost source=cpu CPU="all" | timechart span=15m max(pctSystem),max(pctUser) by CPU

gcusello · ‎08-20-2024

Hi @NK ,

I suppose that you're using the Splunk_TA_nix add-on to ingest the Linux logs, if not, use it!

You have to enable the [script://./bin/netstat.sh] input.

In this way, you'll have the same information of Windows.

Ciao.

Giuseppe

NK · ‎08-21-2024

I enabled netstsat in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf
I see Send_Q and Recv_Q (from "netstat -a"?) , but those look like the corresponding queue sizes in bytes.
I think the Windows/wmi equivalent reports traffic (bytes/sec) through the network adapter.

gcusello · ‎08-21-2024

Hi @NK ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Need Linux equivalent query for network traffic stats

configuration

development

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?