Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get Percentage of Network bandwidth

tysonjhayes
Explorer
‎05-06-2015 09:33 AM

I'm looking to define a query that allows me to query the Network Interface for all my machines and create a percentage utilization for each interface. I'm having a bit of trouble with it though.

What I'm ultimately looking for is to take the TotalBytes being used on my Network Interface and divide by my current bandwidth. Basically: ((totalBytes*8)/CurrentBandwidth) * 100

I've come up with the following query but CurrentBandwidth doesn't come back with anything and I get an error that I'm interpreting to me an I'm dividing by zero.

index=index host=host object="Network Interface" counter="Bytes Total/sec"
    | bucket _time span=1m
    | stats avg(Value) as bytesByHost by _time,host
    | stats sum(bytesByHost) as totalBytes by _time
    | append [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
        | bucket _time span=1m 
        | stats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
    | stats exact(((totalBytes*8)/CurrentBandwidth) * 100)

Error: Error in 'stats' command: The argument 'exact(((totalBytes*8)/CurrentBandwidth) * 100)' is invalid.

Any assistance would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎05-06-2015 10:18 AM

Exact(X) is a function for Eval and Where

Try 

 index=index host=host object="Network Interface" counter="Bytes Total/sec"
     | bucket _time span=1m
     | stats avg(Value) as bytesByHost by _time,host
     | stats sum(bytesByHost) as totalBytes by _time
     | append [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
         | bucket _time span=1m 
         | stats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
     | eval total= exact(totalBytes*8/CurrentBandwidth * 100)
 | stats  values(total)
SGF

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-06-2015 10:20 AM

"exact" is not a stats function:
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Stats

0 Karma
Reply
Solved! Jump to solution

tysonjhayes
Explorer
‎05-06-2015 10:28 AM

Thanks! That's been corrected.

0 Karma
Reply
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎05-06-2015 10:18 AM

Exact(X) is a function for Eval and Where

Try 

 index=index host=host object="Network Interface" counter="Bytes Total/sec"
     | bucket _time span=1m
     | stats avg(Value) as bytesByHost by _time,host
     | stats sum(bytesByHost) as totalBytes by _time
     | append [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
         | bucket _time span=1m 
         | stats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
     | eval total= exact(totalBytes*8/CurrentBandwidth * 100)
 | stats  values(total)
SGF
Reply
Solved! Jump to solution

tysonjhayes
Explorer
‎05-06-2015 10:27 AM

Tried your function and while I'm not getting the error anymore (thanks!) I'm not getting any data for total. It still looks like CurrentBandwidth is null.

When I run the appended search by itself I'm getting results but put it in the append I'm getting nothing...

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-06-2015 10:55 AM

Try this

  index=index host=host object="Network Interface" counter="Bytes Total/sec"
          | bucket _time span=1m
          | stats avg(Value) as bytesByHost by _time,host
          | stats sum(bytesByHost) as totalBytes by _time
          | append [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
              | bucket _time span=1m 
              | eventstats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
          | eval total= exact(totalBytes*8/CurrentBandwidth * 100)
      | stats  values(total)
SGF
Reply
Solved! Jump to solution

tysonjhayes
Explorer
‎05-06-2015 11:45 AM

Still getting null or 0 on CurrentBandwidth. The query by itself is producing results though. I'm checking it by running the query in the brackets by itself (seeing the results), then I tried taking everything before the eval and doing a | table CurrentBandwidth (seeing rows with no data). Thanks for your assistance thus far!

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-06-2015 12:52 PM

I now understand. I thing the problem should be the appen command. Change appen and try use apppencols or join. Something like this, with appendcols:

 index=index host=host object="Network Interface" counter="Bytes Total/sec"
      | bucket _time span=1m
      | stats avg(Value) as bytesByHost by _time,host
      | stats sum(bytesByHost) as totalBytes by _time
      | appendcols [search index=index host=host object="Network Interface" counter="Current Bandwidth" instance!="isatap.*"
          | bucket _time span=1m 
          | stats avg(Value) as connsByHost by _time | stats sum(connsByHost) as CurrentBandwidth by _time ]
      | eval total= exact(totalBytes*8/CurrentBandwidth * 100)
  | stats  values(total)
SGF
Reply
Solved! Jump to solution

tysonjhayes
Explorer
‎05-06-2015 01:34 PM

Brilliant! That works! Now, what is apppencols? I'm not seeing any documentation on it, or I'm missing something super obivous.

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-06-2015 02:01 PM

here you go: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendcols

SGF
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...